5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Size

3.1MB
MD5

eea284a47068360cc43f1362b9c45ad4
SHA1

f33502be466ddcc3ec0d953d250ff3d4a60305dd
SHA256

5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d
SHA512

de0c94ef9a680b780e4e3520121d913b3747fd3984ca9885883d99ecda3ebb8d09bdbca92e7050a72d05b955c8c9ea6b81f655744dc78e3fe03982f3f21993b1
SSDEEP

98304:BHgNDfXQ1veFPk5FaoCRrgGUDx4RVlbnP9WXW7H6C:kDfgZeVmCJWl4HBVH

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeVCREDI~1.EXEmsiexec.exe

pid	process
216	alg.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3020	fxssvc.exe
4948	elevation_service.exe
3544	elevation_service.exe
4080	maintenanceservice.exe
4288	msdtc.exe
1996	OSE.EXE
4100	PerceptionSimulationService.exe
2904	perfhost.exe
452	locator.exe
2776	SensorDataService.exe
3456	snmptrap.exe
3656	spectrum.exe
1596	ssh-agent.exe
1200	TieringEngineService.exe
2352	AgentService.exe
3904	vds.exe
4320	vssvc.exe
2316	wbengine.exe
1804	WmiApSrv.exe
4396	SearchIndexer.exe
1952	VCREDI~1.EXE
2036	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1760 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1760	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exeVCREDI~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~1.EXE

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

27 1280 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
27	1280	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 36 IoCs

Processes:

5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\locator.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\System32\vds.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1bf00a89e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 61 IoCs

Processes:

msiexec.exealg.exemsdtc.exe5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80JPN.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148966.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148513.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80ITA.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB287.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC7B.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148920.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148935.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148966.1\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148482.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148998.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148966.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148966.1\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148591.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148935.0	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148888.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148966.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Installer\SourceHash{A49F249F-0C91-497F-86DF-B2585E8E76B7}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148920.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148591.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80CHS.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148888.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148513.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148513.0\msvcm80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148763.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148888.0\vcomp.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b12f.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148888.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat	msiexec.exe
File created	C:\Windows\Installer\e57b133.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148482.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
File created	C:\Windows\Installer\e57b12f.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148482.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148935.0\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148966.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148513.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148763.0\mfc80FRA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148998.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148482.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428211148513.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148998.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148513.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428211148920.0	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f57caa7b099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049d725a7b099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebb659adb099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0b15cafb099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af7ca7aeb099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e2048aeb099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007834c3afb099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4767dadb099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Modifies registry class 56 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

msiexec.exe5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2036	msiexec.exe
2036	msiexec.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exemsiexec.exesrtasks.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeAuditPrivilege	3020	fxssvc.exe
Token: SeRestorePrivilege	1200	TieringEngineService.exe
Token: SeManageVolumePrivilege	1200	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2352	AgentService.exe
Token: SeBackupPrivilege	4320	vssvc.exe
Token: SeRestorePrivilege	4320	vssvc.exe
Token: SeAuditPrivilege	4320	vssvc.exe
Token: SeBackupPrivilege	2316	wbengine.exe
Token: SeRestorePrivilege	2316	wbengine.exe
Token: SeSecurityPrivilege	2316	wbengine.exe
Token: 33	4396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeSecurityPrivilege	2036	msiexec.exe
Token: SeBackupPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeBackupPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	4876	srtasks.exe
Token: SeSecurityPrivilege	4876	srtasks.exe
Token: SeTakeOwnershipPrivilege	4876	srtasks.exe
Token: SeBackupPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	4876	srtasks.exe
Token: SeSecurityPrivilege	4876	srtasks.exe
Token: SeTakeOwnershipPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeDebugPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeDebugPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeDebugPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeDebugPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeDebugPrivilege	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SearchIndexer.exe5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exeVCREDI~1.EXEmsiexec.exe

description	pid	process	target process
PID 4396 wrote to memory of 4620	4396	SearchIndexer.exe	SearchProtocolHost.exe
PID 4396 wrote to memory of 4620	4396	SearchIndexer.exe	SearchProtocolHost.exe
PID 4396 wrote to memory of 2964	4396	SearchIndexer.exe	SearchFilterHost.exe
PID 4396 wrote to memory of 2964	4396	SearchIndexer.exe	SearchFilterHost.exe
PID 2324 wrote to memory of 1952	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe	VCREDI~1.EXE
PID 2324 wrote to memory of 1952	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe	VCREDI~1.EXE
PID 2324 wrote to memory of 1952	2324	5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe	VCREDI~1.EXE
PID 1952 wrote to memory of 1280	1952	VCREDI~1.EXE	msiexec.exe
PID 1952 wrote to memory of 1280	1952	VCREDI~1.EXE	msiexec.exe
PID 1952 wrote to memory of 1280	1952	VCREDI~1.EXE	msiexec.exe
PID 2036 wrote to memory of 4876	2036	msiexec.exe	srtasks.exe
PID 2036 wrote to memory of 4876	2036	msiexec.exe	srtasks.exe
PID 2036 wrote to memory of 1760	2036	msiexec.exe	MsiExec.exe
PID 2036 wrote to memory of 1760	2036	msiexec.exe	MsiExec.exe
PID 2036 wrote to memory of 1760	2036	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe
"C:\Users\Admin\AppData\Local\Temp\5070e2c1776b1e15e4c4c6ad66837fb1bb5c293cdd0386b2e059e139547e458d.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Blocklisted process makes network request
PID:1280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2776

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:208

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4620

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 50D81EA62FD88FDA9224760E194712BF
2⤵
- Loads dropped DLL
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b686b9796df198cbbc5e8a8c1945cfab

SHA1
af59500547fd6d5f3d4f2c839675ba77d70e07e7

SHA256
9fc7d82b29d3049936fcc8f85f8d2d592b825c1cb368081f9068c9dfd9758a63

SHA512
4a925c04f6bf5ebffe5b377ae222d4fefbd02a689c7bd5c2a681fd479cd45ea4649830c60f0c4b447126d9d4330481c79af2d1fd186db6ee0a26c62fce902927

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
c4d91da2a948a58c612921996f47933c

SHA1
8ee33917d262d913a3d8acff37d38a6e96ce8dff

SHA256
27246bea602fe16744bdd31273b7500a4c26edd1561e0d62eb6f583eaae0193d

SHA512
bf4e8ec496ede627fe6a38588b4550a482438f2bd4819d379579afd666e1749d6799e00195df66f2d9adbbe76e67a24e5f487057e4c3030910a1ecbd2c5eb2c3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
d3cb92664c3d6f6331d455361f7cd2b4

SHA1
e621cd4bdb05bd2431a0b4d3e856461bf97b7e4e

SHA256
7d2b3cfb71307eff5603f668a03084402dac8a89aaaea16a312f43aa66965b80

SHA512
342dfe16c60f9b4b46dd5cb8519df51b96977a3b2282e55ec523f20e622a3b19d297ac0533758c0a33c14b43e2c30e39faa4445382a9176b948087f82b736e2f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6b8ee4ea3a9f4ab6fe2c3c885e438410

SHA1
ea6c3fdb0069fa277f3ccb17abebab6bb4ef2671

SHA256
f14fb72aca5d72bc4d4491f2e040ac249a6a9f8d57370df34d5173b641954bb5

SHA512
4b3e5c72b771bf874bb2c2259d9771273379414eb7c59a86b1677de776a2831ec16d17db5221aad31a1b6d9c538e479fd841ad1ce2a0a37970a2140ae9452a83

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
38f626b7937ddac22b45507a642ff26e

SHA1
9ce7d55232556f439378458739a08d816c599ec7

SHA256
c7a96d0ee7de03e09df5fb927621feffea231b59a02dc738b93a81f9beb55084

SHA512
bbc08236849543d063dcc1aba9d08483f16d0be3c0acd0110d93a919a2e2fc4a2c19791aad826361d54435f4bfcf4adcc6c6d38f6398fdd8f082b53c2665b0ea

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
57e1fc11358335c2b306bb954b32f05e

SHA1
1f1e12c8ea35cf00301ce011ef7792c2395457a9

SHA256
91618015d32f938c578343f0593df4a35aafa8dd4b7d91d6b199d0bc6bc7c56d

SHA512
5a32734d214b3a2db65512e75d99a8b883e5d42694387ecba47fae603c05ec1ec48d06a563c39c7c964a7c8b915a106c7b57e9314d70bcf2fd64010dd715c896

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
2861a67c11e3d6ff7106c90fd65a9f9d

SHA1
17eb165c9b55501f7fe505903e3299e1b6ab1a9e

SHA256
387c1bf737a0953469ff4268a50b55a521841b07fc7e2df022714bd9d3448c34

SHA512
78da6136cb37ac272b68e7f11d7ea90a991cb1c6ace1cdd8002e49e0181d7410c2fd1d13dd4fb2ef4461a3d79fc12748f8a4fe452c183eeec4e340dfb5e40309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
12a6eb056ec47b9f7f66c723c14ef0b4

SHA1
cdbdd7ad15ce1f08e88a0ec03ae9fa4c56f04a3d

SHA256
28b15497f06039e0f2bd6671c71d07326859cf16c47ed134b26d9de4b0df906c

SHA512
7cac088f56bb5a25a714d231528148279db331e21f0040cf33b27dac481dc03a25364c01f027c2b343b949bd25c7ba2df99fd81945e2a7bfc1fcbc198a65e5c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
2a5eef4f0e933ef98556e0d71d6abd3b

SHA1
805ba96285b9576329e45e15faf964dfa9b161b1

SHA256
47536f89e99bb8b55b3742dafa317f3cbe269413510f07bdcdda6490241498ec

SHA512
1279d3936647c3a1e21cdc33cebf235acbb0a44491c60d7451dec8c08c7d989b4dec498e3f1b082502ec9b04d8a1d349847ac79521831caf8860253ee90c78ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
26b8b7ba709914ba6d87a4869cb65400

SHA1
c9f4697bf7ff7d6c66f7dcaa04c709e780c5c9d5

SHA256
84ede7261dfdc1415f62c34c2d9fa0f98fb02667d25af131ba86d848955df7ff

SHA512
b2db2cb3add76036eccca495c479c31e494aacee7b65c4e4bb809c4cef3ac8c786a17a6e0a8ec3b49b4588155f72658a3ad3249d50aad651979b9c9a3e1f29a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
6aec3c69b09a9e6063b12eecb17668f6

SHA1
296d398672f9d550eab46973299b2370fbf7c5b6

SHA256
fea0ee5a1dfab578852086f0e4c99953ad05799c1d8ed65c532fd14d8c908e64

SHA512
805e0a5221f30f0417d97dca6a6777ecec85fcefa616f35bd339c09bf3a2291cfcb66586b490f5fd34f59f45b0552d96d7558758476386b5515ef1b0699503b5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a63985e419629af4ff50a6d081d9887a

SHA1
39b5b447f8c517228ea3706024aca583b29a877d

SHA256
f9a02b7b423739afb9385d8481dcd7e3502c06d260cdd916fd1881d221caaa1c

SHA512
2278207b9b4ffc0cff43980b3cd176776c74d7d77490f180609568de4348a19037817a0bc8da1c77acbb615fd64bfbb91d88f39e6c375a36903ee28af2d5391d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
41cb4f62664833462189a97e95037cd6

SHA1
79491b4b5b0eb6012c3c07a7057ea33e7c3700df

SHA256
8b7b24dc7bd8c68fcb86efc18fbb22efdb63eaf41dfbaf7ac86974670461b3be

SHA512
09b6e77837a48699067f07ac5fa480fb7e4d5e6fe0abbaa5a5134638ccae8f67954f647b2ac7cd368fb2042241b9c54400d2b69d0f929922f8cf477ae0888ccb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
52a68e76ea914eb924148a2a5cfd277b

SHA1
9916a49ce3a2c87e8eb4d48051183591b7651360

SHA256
4f29de6f1de71d7d7d6d157c4685b4228acb70f5e3abc5f79b44918a575f881d

SHA512
82b1045e2e7c5dd4134674f7edad31c4bf03d6c055db3abc6d1c241bbc3083744583173919375dbae91e237bf366eb1ebef003314e5b604dad76a268d00572aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
68566fa962745a01d782d9e976fc1ad3

SHA1
e9d3b6d7b144d7a07579ed6c1477279eaff185c9

SHA256
cfd57dcd17ce3607dcd8551cd19d553f56abb69740cedbd3591c0365e627a8df

SHA512
7e426bef31c0a6c5d64377c258750d6edda43b009ec434528b626c911f1d642e4afe55384e3452f4a9d5c5204bc9d86a7c34abd99345331a8f280336c24a22b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
5ae68fd6371b5a82ca6333d51378d3b9

SHA1
1621f827596cc6619670b8eee0508c6d4b3e15b5

SHA256
45b5ad6e89e9359983a10538272bef32ff7384875e6d41e15b90e1fd251b1654

SHA512
ef7d7a25d87d9618b722530c3b6f0e697ad0cdd9cd57dcf840121a03f6d134e6dc57656a8083938b1d7e5ae175041befa4ee29fe4ac1d814ade398f3e88f8196

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
2367952a47fffe53b2c0ada0a6f349bf

SHA1
d9b195975c3d5fd55318047469003c7ee9c23f22

SHA256
8726a4b9c3de08907fc886f3f6bf24996254a75a362e2c6434b7aa004e9b34b8

SHA512
b36b7b8e7934b88805306bad81ea22123b829dfe8fe4bc010f71336989ba0bd8987d876b941d80d9ee7b730c5bc0ecd1e7ab73c6baf2c86a5b2407ac22132283

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3a065a3c719951c5c999c94d7e2c36b9

SHA1
9bd7a7b3dc855a7142430178ef67006cebb9fd72

SHA256
c09080817d7241d0d0178c8799bbae200f4e33def21bf181dd69c3ffa748137d

SHA512
7b572bb8f3ec228a2683802ce18503b565246f53fcd2a59e320760e21d58163f746d40591f8b1d78302ebd40e69d7bf463416f7f1571ef76008e47867ce0f742

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a0ecd81e8f8aacb890f8dd0ed265fa8b

SHA1
114cfcfe3bf5fadc8aaa9ce544c05f3a30e5abb0

SHA256
a16be14b5bd317cd4e049c2e900ba2aa39ed5f52bfc15770bfc7d63480ecd474

SHA512
9684793504d832667764dea615fc559bef4bf45e860695bdb2501c5c044d3316cb71a30ddf51987285debcd799b57ab95acce802a369792a9aacffee63f6206a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
43337708a3aac1ba1e7b6f1728ae2eff

SHA1
43040e2b7599008ebebdccbbbde8e5f733106ef7

SHA256
1207f07edca510fb315da71d2c5546adb9b8f55b0b676d97628bed0bf77770e4

SHA512
90d010b5e24256c96d4f832b5c23e9feb905ed716aa2d522668fbc93f41808a05d7a17f17f01562e7b15add673c396afa3b1518ae7edcd10829ec94f5098c4f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
629377661b54d98605e2302b187ee37a

SHA1
54eaf60ea95d39335f226561b572a39673d1ef40

SHA256
4d2703be8194e04f3ccc178b2ed9bccd9ff62e430e8a51e68ad2ce4f304437e2

SHA512
c1d48e7f9bf198e77b069563d6102772e47cdad05e76f6aca565f658d84209a1450aa6465f2d449836b56a1e7378117e66d7dd359e495ea5822bfb19c6c088a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
52511465b6a2000aa695910b5c7e227d

SHA1
8e7e5247c11f1460f0c38ae934bcc520b4d26ed1

SHA256
5658dafe26b6abecba7fef1565ae2b92fd6f3dcf3ef2c6da0518cf65e036bc27

SHA512
a099f0c884cfa1e46b3a86449a2eaba561cd973807f1baf05c45c80a620275cfcfb6dfa2caf786f44713b40d33f94ed419823daf8b51028ea0b1ce547deca46f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
329c47fcb1e45ff3fdd4e8dd8cc25cf6

SHA1
e532c4e12677c1dc64f846d3ff7f02b8c25b5104

SHA256
ee48db472a7097ff17057037baf4bd75ba5c527afa2f7a5fa92f1a46478664f2

SHA512
e3d083bf14bf0e661e73e4c82341394b6e0110e53644c7629b555ac7fcc2dfa9ce31a1d3aee8bd89fade87c39f510f17c667af607dae378d02dd0a07f1ec16b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
21d4d750727094cda92a655949e333e4

SHA1
7c9f34e10f3266a0046a7aeae0c7e0f216eecafa

SHA256
203f75beeb73c182465d1e90f6f26426783eb3fc1369dc58c74e134e7adabddd

SHA512
23a9c17d9c89b3e38fb9eb717e3720ac4d054becdb457531a961ef19f5d97b337b783b0ad8419a34e89d71e81bf57b99b69b3f75a402fbfb43dcc63cef52e2e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
a034d67577198116d257c059bd56a25e

SHA1
f27c29e246dbe1fc29b85805db1168c52f44bcd9

SHA256
d7492df6bb164f6dde275fc7ef1a024bdb0a8ea1d992e4a1a6f1d7b3b5d72e9f

SHA512
393271d7e95a0553f1a72a2c0f9db0de3e4fcfdf93869ccd097ea7f54e4a9b328f173f4dd99a439bf73045be9b4d8c2156781f6ddb1f0299e184f90afba59125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
ff44e8775342e249d9c5db0cbe8316a6

SHA1
cd91d4547d636d2bc7ad71f68eccefec6e3b1975

SHA256
41712a068a16be06e9e7d1e2f135855d8c7a7641300511893e83a986d3036de4

SHA512
99cc4b7524c045396cb6d58622e4901332e67f1a312f04a939bcf0741e566ab3231acc4016e2836cddc59d05f2c8dd5b9c08e757c65195268c9bcf5b3f78e769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
59610531e3097837795b1d92b1f43bcf

SHA1
264ed5ff1cd76609792f436f1a72e762039ac80a

SHA256
9c0afbce6d444ff5b83527ab1533dc2d01f19a9e2e24f41152adb44aba63f67d

SHA512
4bd0d8a9dbdba616279f25b6f567cc016f873b78bdaad80e4493d14a83887e58b15c0919b4e0a317b9f57d04c864115278953d7f32182376ba6aa641d0291273

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f7cda4e86f9cc2ed69da12ba71f3741e

SHA1
d752fae65d3e429afb719362bece27727504fefc

SHA256
d8f9ecc289f7bc4f5155a4a59e56b77c59afde8acdd35dcce579a6c88ad5498b

SHA512
0485ef28a90cd581524408edcbff5692b3af904b1b6c7203265671c2b21edd317c4aad6c95f51ead50e197bf481842376fec45781d080128027c46bbb1be3307

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
fd2486e52a310d9c5ee6fc10d7983cf8

SHA1
5f643713598e0bc998c4edac49bf657a5a25e9f1

SHA256
62a2feb6fe741bed3ec3e32b22164c909dc0c46e6564d1d96f536edb06b0c7a2

SHA512
ba9ed46d1c00283197cbd2e0208bd33696dcbf30fea40809e0fd3f1823d779578ee6c79d97389a1b8219a554888dc2b800ba82815990f390711346adb7705a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
Filesize
2.5MB

MD5
f031c0d2b460209b47b91c46a3d202fe

SHA1
95040f80b0d203e1abaec4e06e0ec0e01c507d03

SHA256
492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b

SHA512
18840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab
Filesize
245KB

MD5
00d3bf1c1e82eee48fdf3361dd860e19

SHA1
b2f45cd2791ce178b45b06a95e7f58f298512d6d

SHA256
f2ce7873a39f7f8a2a2cd888a6b2f0a25f62bb3c475ee73cfe54988982ef65de

SHA512
cf5c06c4052b103d0a339d5535db2d8a9f069e928ee8c985f03e321b7e1977ff2f2200ad15671d6e93b9c706bea7586cd3df11fdbaaaf8c63a0ea4291431bca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi
Filesize
2.4MB

MD5
b31b234cb0f534069ba32aaaeacd7b2d

SHA1
d6f90459f8bdbf7e75cc85affe9b137dc5e304e2

SHA256
b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0

SHA512
138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea

Download Submit
C:\Windows\Installer\MSIB287.tmp
Filesize
24KB

MD5
7bfa56d222ecc4267e10c01462c6d0d9

SHA1
9b3236a45673ff3bb89df3e690784b673ae02038

SHA256
6eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6

SHA512
10cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
1ae49a13c8c2b06b8125e49b73627579

SHA1
1e7ebf2a7b63e4111862e6e55c54abf948641ca1

SHA256
e146f8c69fb2ace259264762b694967bfe7e65340fc22f3536a84094fb671f0b

SHA512
bcb9464d7a4ac9ae2e4888a2b54db774a1169e3871670e4533caa5940f6610d4035827005d8517ba3726304ada42b49442f98b2e4d0dceb935599b4b77142369

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4dd8df8071ffdc9a60608777465faf82

SHA1
c1459e7294b9089a5776bb6c71c135e53a1cb1bc

SHA256
48d86868338c6802ecd4c4d02031b82aaef1bd8d1b1f1acb08c68623bcdb300a

SHA512
f51a5adbe06e82c4d6337698f803acf16445e22f0beebbc3f7af5fc94b6be3dee225fa2ebe7779f49b8064e8b7c5151060d81ca36e613340e3e84ac012814839

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
a8d4943d1c1eeac301752cd7fcdd8ad8

SHA1
65e333f3155ae823f9819adfb34504412be3811b

SHA256
c06ac4773107cf6298a548467345052f1d81af532be9c7135f74dc25688b82e0

SHA512
a2db636e29a0b1e73ecdd3e276ef9f89224b024ed45072deac6aab11ef800ee3a724522e22495855e77b0165149cf7ead69c1a23d8288a1baa37b36c99517116

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
40fcbe97b407b4fde3dd18790580f94e

SHA1
6298fb792e44156a769e5af44a0b2fbd617840eb

SHA256
26aef02a1939ff664cbdb5de51faa1d941f34fb18d936901cbed7663e6911a25

SHA512
7549aca652b208705bc3754f707ebe0cb24ffb71c6d4c41596192425a38a765d1ead08c0ba8138536c9d4255d19a4bea9ed2d740c721f97ff7252f60f991a934

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
ef7e92b4e8e912d5590a54c137c078be

SHA1
8e490b8e2eb77d75367786d5b39bd8997fb7b210

SHA256
3b61b4314d441c6139d5a6247723b067ceff00500576333ee93f24756a96e329

SHA512
b29b7db9456d74b33fff673e0772c38c182ced9a0f335dbecd6e744c4a8726e8096cf0f87ad47528880a4c968b271fd83e04ddd859a176c5dc083523093c392c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
46d42a5db18c6dc1f13832965586d0a1

SHA1
ae6d06502ed8be9bc17152592843fc0678e7fbed

SHA256
32547bdbf5ea3a9d5e63822ef1960a679067648a834d35611d698f91ec618f9a

SHA512
fea53fc80076b3a61115462433fdbc2b5656cd328b91e005de414fdcbff60b05fa47eb467fa5edd2ae187f496d8bbc6aadb1d55dfa0e7093de4e8397e10b195d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
66d14000480e01e5b63594320245e85e

SHA1
58954a9f47b55eee3c488ab008605bf6ecb01245

SHA256
039ab100bb8bbe517b122296f22b71a20f511198763a7fe6dfe732f60a025c9e

SHA512
4e2b65b76c880afc1f3684bb0092848f28f18d26cd5e34e9cec10f32efad19f3246b1baa5b965b56c4bb6b3ffa15ccea7bbb94d0d09937856f0c367287b9a351

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
75d3aff9979a94202230bec87f1a1ea4

SHA1
498007f97d3207910ea88e0d6adf51371c5acd42

SHA256
91f39d168f1e28b4441a3fde011da85740a2fe78e81c9847c34bd54eb7c0879d

SHA512
dbf42d116d592ffcfe2be224d3416b56c58fd60c041d932bf02090700021e8994159a89e7e3fa154687828e0dffb256ab5aba48220a62644bdd4a471a3d4574f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b95e6bafaec80d4e0fd56d4d0af65bb4

SHA1
a13b90c3eafe647483aadba9c13d11017e2a75f7

SHA256
4404b2971c92f7de91acdb399993888322f8f710c8547d274ad386a854958d74

SHA512
c173d5b02c65e93eedbe95918ca7d56bc2182290dd47bb2438ea442127075817ced02d2bd0a324a6bd3af6b9ee51ce62b541f0be9af59fa561900b8cd7f016e1

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
20bbdf3b43a03076d121d56d7dc73d3e

SHA1
d480f61e153f79719111bfab7ed75fb8c41184b1

SHA256
11171dae45efae0316770282574892f08c213f53b70ace93c30ae32d8698d85a

SHA512
c16eb5c04677e8b9cd0cefbb0338fee0030d00d30712a15074a497dd903ca7ad3a3c0139212a89c15c6c5ef653b9a50efd813f55e996be82b32ff4ced5498d14

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
a24a35f323a8a07f8be275ed076ce4a1

SHA1
ad7aceaaedeec5488766a8e62c98ca5f020a1b4f

SHA256
9d6c0c9f64eae5d61a458b12175ff0eeb5dbfb36439b2721b5c852475bb48fd6

SHA512
54f3d0ae1225958d33b5b2d84bb06c623c518cd817671eb52d87b8180b21089b7e1e1511885b935bc8465e57c308fa1dacc3325482708672a7273028d2b96a0d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9732231914fef0ba87c48b622e713ebe

SHA1
9480eab95c81d520cb9b1c28e7d855868be45449

SHA256
1f8d4126f255758530097ecf036497d81217ad1c492b0f1188cbc3ccb40e6e69

SHA512
0d7487135bdf54db3d7107565ff3130664bd0af3f3eaea93008965386b4b920780eb1df3883e816aed1ec519ac1a9dddaec18b5e75b82ef88662783d915a7dac

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
4dbef80d00d45bb8a0ec3a9c6f593157

SHA1
8a8880de5934d69df7ed2c5da874079743f4bfba

SHA256
729112b05616aef62e2b57815fb1784541860e59a73192e8840c070e1446a60d

SHA512
c8eb3051e273032bb0fe5739c779e872fabc83ff5744d1d863e2b73ed3a192456f68d12a1378ce4c3f1079a370967c7605837e014dd33ef82bf8c39c28493fd9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
bf98ac11a82cefafd400e1c15fee9876

SHA1
e65817ea45257bc641ba128d141ddbd0ad25be4e

SHA256
6f004e779c8427c861339738c1ace31d1a527559a9f8729cd1cdff92b44c1050

SHA512
da3919ce60ad95f28fdb0b0fe0c21e34ec95587b28880a9264e70ea67ab2b0e326ce26a0390abc14ec4565e4dc322e29ca1f8b4204de548e29122755f66a4c55

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
869bb7224438064995e7a89ddddf2a73

SHA1
3aa93b1834ac23e37be00bda7790bc618e4c91f4

SHA256
c59a3d04b49b3310aa774b0561ac5e614241e748e50afef78b8f00c3be6e9bdf

SHA512
70be8db9313f5610f514607ff0e7f68869c4e9644329c8a3aff25c7d249f6a045d23d98ce83114101e68e479bb8d0e78706fd2a4c262ea732d15cfb7d0ed300e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8f00a29246c56437a7cb59f7d62dbd48

SHA1
c6a51e7f369c417e381f2f5d9dbbe93b120315b0

SHA256
6d1d0a519f7c208071e15a6d90351a4adb34e258a9f9854474983533448f8878

SHA512
26e24ee29bc90ae3771a712a23a4940473fe8d49ec7d2454893daff0317fe754dd096ef957ba4a5b9e7ffa74de8263ffe8f78d9f530cac627fcbbe24a4c9aed7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
91667e233c8eee032f9be9bd9e246571

SHA1
04dec9c4112c09303c9494de0e55ebc16144320a

SHA256
54dd9506952cdffe8fa52b07f4af981878af72dbf0acbccbfd0e382c2a317e34

SHA512
6f14c126e8fa9d2dd1255a341ed1ee0716d6a205f69e3473ede6bf97eab7fa668d9de1b1d70d77db29b327ef3f595fb7cae4e42e5ae045ef83a995299e1cdc23

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a7031277ace8aee41b631f76e387b53e

SHA1
4f22e53e1bb13328cf959b7ba8173b94127f9dd8

SHA256
6de914e76b96a2a8736869749a2ea34245b8a5855678ad945a2446f917a276d7

SHA512
54d36a3b5ddae67a1696a52657877a7e50a0a6c49f79e1c8cefec046815010979dc43c54db91e331008cf0ccf28dc891bdad25426aef40b9bd84e88f2573eac0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9933d8f44e79df1ecc729925c20a0c51

SHA1
05d85cf6b556d3fcdd0fe51015edf263f3f0406b

SHA256
a97ef411028cd1f1dccfc31d4a7aab6ad1bc572b621be8e1e5cabb3f8884bfbd

SHA512
80c126e802e3b2374a8737b11a1f31d2aa07ccb2245c991ba0391cd38197db7dafe109ce511a90f445ad463e68ca049bad8730193bf0e3dec5ec63e2757307a8

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
14bb4d107044a72a4d1af32b2cb460e9

SHA1
a57742edace7754654b3d3e217a661f006c0882e

SHA256
34f79149254ebaf84a79299197e0fb90cac85f94ceb8d9f1fc303eb0d5322465

SHA512
4fb8cb7ef4d8cae6dc4302222f0f0a78e24c73c84a11bcecae4c764b1d7ee2f3ff2677f10f076a37803b6a44ac86af9d451449dfe22ee74097002dc60055da9e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.4MB

MD5
fcf9df173e9d1ad67ba4b97131a7fa50

SHA1
2e99236da3a77c96c5aa59e610bce6167c066af7

SHA256
8dcd2293e1953ac583609524c22d26c07c20ade0187dad192ba1343977d312d4

SHA512
76d8b7c3d502bd1ccd047295f3e9de705191966469639bd171957f6493b880d65df138b88c0e3f7b556794f677e8d7fe25615e086bd0b2d29680d8bf9b0a7992

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
804a5769a87a196e51f135d6c5156324

SHA1
0fc07953561f4dce0ef3b883cf33c913ce7d9ac6

SHA256
437f85b533d6d05921027e17888ac2894a822e07b235aea11816b082c87a6ea0

SHA512
4769bbee70236d0bd6e43ab9fb072dae273179313f5ffcbb20ff72ad8fa8b6be35d0a0b710e7ec75746f175d2f56c0e7738c257085cfca60bbf26e5b32c5c553

Download Submit
\??\Volume{b97e3c07-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{80972a39-17fe-4fe6-8670-a7f3384bfb6c}_OnDiskSnapshotProp
Filesize
6KB

MD5
3f8762d69c490e4608825ac597c7e903

SHA1
7cbf931143e36c7fdb706841bdef53b603d99c89

SHA256
09689eee0c3ecccf3d7c896af6f624db96ec7e59b87bebe9af8d9090ce1eedd3

SHA512
392186643e5616acfd5185a00018afccac813cadb8f44ec347b90124320c1d674328a20c7c39f273e368a469b8d1fcaf09a9a541776534fa7f59260b3956e0c6

Download Submit
memory/216-21-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/216-18-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/216-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/216-135-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/452-265-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/452-144-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/1200-203-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1200-501-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1596-496-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1596-184-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1804-605-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1804-266-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1996-221-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1996-110-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2036-393-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2036-707-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2316-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2316-558-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2324-1-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/2324-121-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/2324-8-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/2324-0-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/2324-726-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/2352-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2352-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2776-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2776-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2776-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-125-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2904-245-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3020-36-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3020-42-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3020-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3020-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3020-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3088-34-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3088-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3088-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3456-165-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3456-384-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3544-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3544-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3544-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3544-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-457-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3904-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-506-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4080-78-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4080-72-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4080-80-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4080-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4080-84-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4100-123-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/4100-233-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/4288-214-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/4288-87-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/4288-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4320-507-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4320-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4396-656-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4948-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4948-56-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4948-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4948-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download