7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5

Analysis

max time kernel
158s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
Size

3.1MB
MD5

3d194c2fea82e0501a2b6abfd9c3a9da
SHA1

cbab5841da570d51fba5580b4201320111fbd537
SHA256

7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5
SHA512

f97bbf00be779344c1c1cfebe4d7eb52ea0cebd14c51bf17da52cd9cc3bf7845c39e480ea49bf15a8a2b75745a4dcae30ed3c228dfad5fe8113d78ca92d25616
SSDEEP

98304:wHgNDfXQ1veFPk5FaoCRrgGUDxuUyuFC4Qmd1:JDfgZeVmCJWlQQ/

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
3948	alg.exe
2184	DiagnosticsHub.StandardCollector.Service.exe
1936	fxssvc.exe
3596	elevation_service.exe
4192	elevation_service.exe
2080	maintenanceservice.exe
4284	msdtc.exe
4552	OSE.EXE
4392	PerceptionSimulationService.exe
2340	perfhost.exe
3560	VCREDI~1.EXE
1040	locator.exe
824	SensorDataService.exe
4100	snmptrap.exe
3656	spectrum.exe
4936	ssh-agent.exe
4716	TieringEngineService.exe
3160	AgentService.exe
3852	vds.exe
4272	msiexec.exe
1256	vssvc.exe
3016	wbengine.exe
2224	WmiApSrv.exe
4768	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~1.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\locator.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a599c344b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\System32\vds.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdfa80a1aaa1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2076aa0aaa1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070f64bafaaa1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
Token: SeAuditPrivilege	1936	fxssvc.exe
Token: SeShutdownPrivilege	2588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2588	msiexec.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3160	AgentService.exe
Token: SeSecurityPrivilege	4272	msiexec.exe
Token: SeCreateTokenPrivilege	2588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2588	msiexec.exe
Token: SeLockMemoryPrivilege	2588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2588	msiexec.exe
Token: SeMachineAccountPrivilege	2588	msiexec.exe
Token: SeTcbPrivilege	2588	msiexec.exe
Token: SeSecurityPrivilege	2588	msiexec.exe
Token: SeTakeOwnershipPrivilege	2588	msiexec.exe
Token: SeLoadDriverPrivilege	2588	msiexec.exe
Token: SeSystemProfilePrivilege	2588	msiexec.exe
Token: SeSystemtimePrivilege	2588	msiexec.exe
Token: SeProfSingleProcessPrivilege	2588	msiexec.exe
Token: SeIncBasePriorityPrivilege	2588	msiexec.exe
Token: SeCreatePagefilePrivilege	2588	msiexec.exe
Token: SeCreatePermanentPrivilege	2588	msiexec.exe
Token: SeBackupPrivilege	2588	msiexec.exe
Token: SeRestorePrivilege	2588	msiexec.exe
Token: SeShutdownPrivilege	2588	msiexec.exe
Token: SeDebugPrivilege	2588	msiexec.exe
Token: SeAuditPrivilege	2588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2588	msiexec.exe
Token: SeChangeNotifyPrivilege	2588	msiexec.exe
Token: SeRemoteShutdownPrivilege	2588	msiexec.exe
Token: SeUndockPrivilege	2588	msiexec.exe
Token: SeSyncAgentPrivilege	2588	msiexec.exe
Token: SeEnableDelegationPrivilege	2588	msiexec.exe
Token: SeManageVolumePrivilege	2588	msiexec.exe
Token: SeImpersonatePrivilege	2588	msiexec.exe
Token: SeCreateGlobalPrivilege	2588	msiexec.exe
Token: SeBackupPrivilege	1256	vssvc.exe
Token: SeRestorePrivilege	1256	vssvc.exe
Token: SeAuditPrivilege	1256	vssvc.exe
Token: SeBackupPrivilege	3016	wbengine.exe
Token: SeRestorePrivilege	3016	wbengine.exe
Token: SeSecurityPrivilege	3016	wbengine.exe
Token: 33	4768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3560	1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe	102
PID 1312 wrote to memory of 3560	1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe	102
PID 1312 wrote to memory of 3560	1312	7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe	102
PID 3560 wrote to memory of 2588	3560	VCREDI~1.EXE	104
PID 3560 wrote to memory of 2588	3560	VCREDI~1.EXE	104
PID 3560 wrote to memory of 2588	3560	VCREDI~1.EXE	104
PID 4768 wrote to memory of 5356	4768	SearchIndexer.exe	127
PID 4768 wrote to memory of 5356	4768	SearchIndexer.exe	127
PID 4768 wrote to memory of 5456	4768	SearchIndexer.exe	128
PID 4768 wrote to memory of 5456	4768	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe
"C:\Users\Admin\AppData\Local\Temp\7f8236718e14c992a25256f72818696be35db8fb6398498a0e68e679907bc8e5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2588

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5356
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
ff18e85ef7af89d103d3d8a19e62a976

SHA1
9edddc5d800f577f78c388e147be13eadbf9908d

SHA256
60f83195875c7681af03b46612b7da6f719f3688ad72ccc70184263f8594f2d6

SHA512
f32a596185f2ac9fd25c328ea99ee6c1ac20107d06349ea4bf29ed674f93e3fe1a2f50b548612d1613deef3430e2dbe058410b86f7587b846b66180f661013fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7cdf9aa038e925796cb53ef3ad8ebff6

SHA1
fa37ca1ade9002c74d87b90010ebcf8da9707e1a

SHA256
c47c1720051ec6ea065db117e287dfb216f5715a15a89456010776ac1f766a9b

SHA512
60cf1a6f7c7f036e497edd92f937d87847b205561d457ef4f14ef6f75bbc20d5c1ddbc04bc5988a4293035d8b131782b072fb839a31d2ddfaeaed10abfee8605

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b1089920d11bdc24b023d6d26094aada

SHA1
5497a969c2fdbbc662ca1eb9b3f92168bced7c59

SHA256
8f4ef163f2015e36a962f6f7284d46415aac6620a9f25fbb35d082de181b100e

SHA512
7f944aef51515ce4b1a3c6bd7e7d2aef927bc1f0f398084e035d0441f119989e37c3abe487212f6b21d152a0f101065ef5055f8a9f9957799dd644cf82f85939

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
15555dc6727e94c4332e492acd905aa4

SHA1
0ad1203c0b4e19cd5457ca157463bec4d49265b0

SHA256
1408701b4666806db4087074bd1e4d8ac198f2cde68937526cfb973cc774933a

SHA512
1ddc1eda8d69c8d102ca1fc79d9af7f71aeb80322cbae3e6ed08bd32c8eef266b7f63661558bc15f91d0c870d4bbea62da8469b6fb6d49938220ef980e01a169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE

Filesize
2.5MB

MD5
f031c0d2b460209b47b91c46a3d202fe

SHA1
95040f80b0d203e1abaec4e06e0ec0e01c507d03

SHA256
492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b

SHA512
18840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

Filesize
2.4MB

MD5
b31b234cb0f534069ba32aaaeacd7b2d

SHA1
d6f90459f8bdbf7e75cc85affe9b137dc5e304e2

SHA256
b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0

SHA512
138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ce236bdb46909143e872b0e87f42101d

SHA1
c90af3ff1c322d94bd4d6cc356922634e12ebbd8

SHA256
10cc75c5e144c9213b303eb0690130c1c3908a8560f36ae5ef5289fe3e5c1131

SHA512
32303e53f5188db19b9f75b98ebe1e6a7c46cda93f2992b04ba3c217125177f6e5c5ba32684ba872ba3f03006ca4a37f915612ee6c41c6c698e0d43382e1cac8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e77d7db463002c9a2974c67a19fe03c1

SHA1
f7003d3b7e1590452dabf6a84c799e0ce5111491

SHA256
998e44c062b323665656ed84534726c4a1162f05862f8b75967f0f3fd906f3b5

SHA512
03ac09a3f0653e701212cacccfb8a60b80d7b2d385b02a936df70aecdcc7e0f6273713ca5df7fb8a1d3f27d91188a433930106dd6bbb274cef650a398edeeea7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
050ac31cf51fe2dd5ad6ea1eeb370009

SHA1
966ccb5bfe91319ce3a34e1c78e5b8cc1b5570c2

SHA256
43ce6da6c7baf9d58736d6a59fca0832f149881b8a6bcc9e9635b9101bb94ecd

SHA512
0ed6d12abf010e461e61865eb81c74537f0ea31ce9656ad02ad7cbc6c13ae63e75365d6017f6212e8bfc7ff3a6de89c43a4adb7b9b04d3036756d5fbb14772e0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9085cb798ce84322790bee7d532921aa

SHA1
3c6615366e7e58b6f36a9937049c3f2115884838

SHA256
dccb362ccf0928641da75ee4e79ac749f510636be28bbb85e0f4af6c61bbb4d8

SHA512
73d630138141efecb6a49e8292122c371d023892ab125ade58f814efb7b346dd2f9405fbb3031851486c4af42ec6729b0e4598984168ea7c3c1785a3c096c50b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cac753c2b3bb0a8d615a9ffcb79a9c8e

SHA1
f1679816de530aa14446aaed1aa53ae29babaa28

SHA256
22763e043358b5a05976d33585ebbcf44c62c84e4074feb9e80da124a00c5cea

SHA512
2fb289c7cbae007e18b42115906ff569c59c1d4078a4eacb468a3044278d06e785b7993acf97ed479bd5041d5d1c0230d763d05a003e15344e1200443a5b0a92

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e815b08998849e7b669f40e849fbc9b9

SHA1
7b476e5ba45ef7c1435fba2cbd83aac71211c3d7

SHA256
b0a10898b5d8b945f228bae0945561cc1c3197fb7da2b237d71ebb992dce9553

SHA512
b49873fc9d864a96dd8664e02dda6d49029dbb6d09bea98e3e9ec5e21e008d315d706e0b3b1284dcc6da1ee1efed2d126c8b8c9af5be0d80cb4f8c3c62d4cc5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8ce8f7401d90532e8434800827dcbf1a

SHA1
af08554d39ac6760fa58248fa5076712fd9ec320

SHA256
1f34d39ba434f89f18313c9ab1f2da8014b3579f0a2a70a814e4ff00d448b689

SHA512
402dbeb3bc557e00141e7325ee9cf10c342fb4039fcdd260634e82146215c8a230b701301430c59e6a42daf989a2d516590c7e092200dcac322d240262248cb1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7290672f0e1ee8a2c11682c36ba08a2a

SHA1
0584b8806a425ce5935885d48a88677790bc4bae

SHA256
666d30a2efe961014c9ba8b6fa792d081bcc022c6c54ae001b2a7b61697ef242

SHA512
15889b716ba8044315ac52816613ff8554ed844ab18b5be3eeb74eba3bfc12751d2d5d86e3adfe0fb14ea78a4ce48fa3f34eed7303072941a983bcf4e5b88a5b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b35e33d94653e0afb7ba800fc35cd915

SHA1
3b69ba09bcf36b500aa0fe45e4ffbb18cce5a4ee

SHA256
c62f63fce973d83676661891b78049dc1af922053c87c90b6fa4331365a0e880

SHA512
c617cd3e6dea68eb4d32fb6e5de6074f0a320af1f9c847bf57c6150309c67ca06e5b405b273e58c6da6168a50593939c86ddb293ab1a5f3707a69b01e077ff38

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b204f2b1205909bce246d2b2c11b7ad9

SHA1
2d2add7c76a528b354003b3a971234bf115e122c

SHA256
6400349512020da6042bf840a3dd51ee1a6f61d64453fef6b1aa07788b29ca10

SHA512
8c6066d2dad80e119da70c3a77afa39a1896d87b01dd2182ba0c2d33ba7824057724c189d804b814591ee0592b2be21738dae07d08e3226a064f4f7375787544

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a0c94fc2ca3b9d6e483cf58fde2fd942

SHA1
4ce770ef290ce07fb8be69a089aba5c5857cefff

SHA256
96fb10e1375e5aef76ac32d3cdc2757bd492c5042649a145dd9cbbe296a3cea3

SHA512
7069b3eb3a1795c002ccf1e5e56fcfe47479ce0f0d46f66076960e8cd3875f29c0e7141535694afbff40cd2e8420d5b35e49cf156df37491649ffb09aef3034a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2b3270386a237e3e382cfdd04d97f8a4

SHA1
c0bb781c698435e6e2e06c48952e3e5e2fb9c05b

SHA256
2d785611d3f31d573e69e7e21dc7c13eb420ce10d67d7299f9726185059e1b08

SHA512
1372a8a36d92afa6571ff95f116e701d832e7e9702d0e87631379dfec2f82eb83da91f1ac2bb7ce9af6da441f4a03a2f22b9856e703e0049a0dabe3db661be56

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0eb9d2fd8689343c76ce51b36f122feb

SHA1
2e7244f1503e4650bdc37144a576cb23992bb727

SHA256
e97b632450ea018537baa8e6f585fb74048459f15e106b5c7be6ac5e64d9bc52

SHA512
ce98579a5ca116b0bd104bbcabd8a6f7855a46023f33c2546ea7156ece0a343f0c207458d9e30b7572b81e2df4cda8abbb5f84c18c98f2d3594da487f3dfca9e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
826074b3f66a73e32bf85d6c5dd599c2

SHA1
4e27a7d98f3dfff763c7464ca8d5755751bea2e4

SHA256
1a73e058386b4e35cbbb884f3dba73a7b76a5b9a4a9f4f750dc7e06efef50f8e

SHA512
09e0b31b705e9c2617c659d51307c61ef6f9701b17796754679e493b3bf69871884904c30858b81751694bca04a5b0b79fe62535dc0c5f009d8ab3aeb1df4f40

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5930306d1797287e55066473daea2607

SHA1
af3ee20c40a3f9dd7231938e9a3a85cec364af74

SHA256
feba7ed765e7f0f68f5d73ca6a8d8e1dde1b9978c0b5f7377cf1a6664345182f

SHA512
b753dbe13d428eb281c344559baa116e221c86505f1a7d6d7f3be4483230d7fc114df7f7a1954c8d3bf6a21f486d83fe402452e5d8bd14683311d67a5aa8d8a8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
311e28e9dd5abbad4de587b46b109cce

SHA1
a864baac9625126f44fcd05e7b8e1561cba6413f

SHA256
526492d94c7b8942bf68c3a032d4625f6a919e49c6ab23ac5501936ac7ca4288

SHA512
6931d8066a705717f509ba00366beedba424e5476114d7ea202c807ce7a644c25de40b96c2a50f468ee52a50650feabf207c75fa82136dbcd862532e6250a182

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e1b2a8e21e71d79153de156997758a79

SHA1
1d80ffda617727d2b22ada1ca7c9a66ae5193c3c

SHA256
21af9c76dc28b6af9caffe56d5dce4c944ba82c8e3e73e745d05ebb5c600d8d1

SHA512
c8967b6de4ca4c4c979e0a1696ca6d205d9b59d8687586d29325c136be76727b58f686c2db0b38caa86ad0dbe7cb158de5ce80953e9ec9ce12a39f494ce58b18

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
77b9b5ba842e5d26d21898bdada4eaa4

SHA1
4962f8c57db9e5f8653a70131b05de3635c1f8f8

SHA256
a6dd14bff5f7dfce7a1de75e9d7a3208c7934db4ab476e3199166ee78e09c2a4

SHA512
8770b8e76b1e50d0bafaef8aa07cc889bffbfcc16f6d2edeb875e2329bbfb0c6656b28efdebc01c145c20b4ae91262cd98c1f95231f021a253b4d9ec2b99ae5e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
43fe91f27835c87b1aab4df65ff235d0

SHA1
a9b72d534fdf540d3fb21f1f3960fe46e4890674

SHA256
dbdb625cb87684ae4500b937e590b884ae3767e1744db36d44d38b867bf92933

SHA512
7959d8204b0d7f2782c205a296d0a6417732add1992073d7097dda796d3d94de2c17ed79416f29b0b973970d3b60fd6dd66086632cb6fdb29474a265ff608d78

Download Submit
memory/824-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/824-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/824-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1040-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1040-268-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1256-249-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-357-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1312-0-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/1312-35-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/1312-7-0x0000000000550000-0x00000000005B6000-memory.dmp

Filesize
408KB

Download
memory/1312-1-0x0000000000550000-0x00000000005B6000-memory.dmp

Filesize
408KB

Download
memory/1312-6-0x0000000000550000-0x00000000005B6000-memory.dmp

Filesize
408KB

Download
memory/1936-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-46-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1936-38-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1936-44-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1936-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2080-75-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2080-85-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2080-74-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2080-81-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2184-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2184-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2184-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2184-32-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2224-281-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2224-376-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2340-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2340-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3016-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3016-362-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3160-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3160-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3596-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3596-177-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3596-52-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3596-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3656-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3852-353-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3852-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-13-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3948-19-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3948-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3948-73-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4100-178-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4100-305-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4192-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4192-182-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4192-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4192-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4272-246-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4272-354-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4284-91-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4284-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4284-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4392-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4392-245-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4552-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4552-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4716-345-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4716-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4768-304-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4768-392-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4936-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download