62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Size

5.6MB
MD5

f2609071206e425f34040fbf6b285220
SHA1

67edd2081e77e937317f3abb664d1202530bd44c
SHA256

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269
SHA512

3d6a8678ce4c2406655d5f7f22065daffa00f883c832a84fedccb57961e998ec55c063908a44919b1183b6aba7859fb56cda35cc9f83cf3aabec7363f200a6ce
SSDEEP

98304:e5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjwc305orj:K3vEbxfjf4Y8yofvktkLdurH5iycKg4

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	Process
3288	alg.exe
4888	DiagnosticsHub.StandardCollector.Service.exe
1388	fxssvc.exe
684	elevation_service.exe
1596	elevation_service.exe
4804	maintenanceservice.exe
872	msdtc.exe
4604	OSE.EXE
4136	PerceptionSimulationService.exe
1684	perfhost.exe
4596	locator.exe
1772	SensorDataService.exe
2712	snmptrap.exe
2248	spectrum.exe
3616	ssh-agent.exe
4116	TieringEngineService.exe
3172	AgentService.exe
1912	vds.exe
1600	vssvc.exe
2084	wbengine.exe
4324	WmiApSrv.exe
3564	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exealg.exemsdtc.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8748e71e3e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\locator.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Drops file in Program Files directory 64 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exealg.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Drops file in Windows directory 3 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exemsdtc.exealg.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exeperfhost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchIndexer.exeSearchProtocolHost.exefxssvc.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bef9848aef3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ad53f8aef3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030715c8aef3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c59c58aef3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005947938aef3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e93df8aef3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

pid	Process
1464	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
1464	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeAuditPrivilege	1388	fxssvc.exe
Token: SeRestorePrivilege	4116	TieringEngineService.exe
Token: SeManageVolumePrivilege	4116	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3172	AgentService.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeBackupPrivilege	2084	wbengine.exe
Token: SeRestorePrivilege	2084	wbengine.exe
Token: SeSecurityPrivilege	2084	wbengine.exe
Token: 33	3564	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3564	SearchIndexer.exe
Token: SeDebugPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeDebugPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeDebugPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeDebugPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeDebugPrivilege	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
Token: SeDebugPrivilege	3288	alg.exe
Token: SeDebugPrivilege	3288	alg.exe
Token: SeDebugPrivilege	3288	alg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

pid	Process
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

pid	Process
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
4892	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exeSearchIndexer.exe

description	pid	Process	procid_target
PID 2756 wrote to memory of 1464	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	90
PID 2756 wrote to memory of 1464	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	90
PID 2756 wrote to memory of 1464	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	90
PID 2756 wrote to memory of 4892	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	91
PID 2756 wrote to memory of 4892	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	91
PID 2756 wrote to memory of 4892	2756	62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe	91
PID 3564 wrote to memory of 4420	3564	SearchIndexer.exe	112
PID 3564 wrote to memory of 4420	3564	SearchIndexer.exe	112
PID 3564 wrote to memory of 1808	3564	SearchIndexer.exe	113
PID 3564 wrote to memory of 1808	3564	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
"C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
  "C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe
  "C:\Users\Admin\AppData\Local\Temp\62f9f615c051f0962ecb4878a80ad4bf74cc037394734dbe95106251bb6c8269N.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6cffc2b524e7099ec77899c45fad6ba0

SHA1
4d687fb908c6d2911c44b3629b70ebf3226f5541

SHA256
13541969b81d23c311791661dd83199415483156ca7feead6eaa145b3134ad7a

SHA512
614923f72510042193ffeba0caf101fe0051f291952b5563b42e9476f34f3ed13b3752ea92d6756cb5c261b2026c55fbbb4e80f6d50775c14f2bbc920fac2e0a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
525188bb4b46e1825d5d80176c7aa375

SHA1
39d7202659d2558ab1ac1f2c21f1bdecfbfb53e0

SHA256
56056ca7e5aa5d524b64763b7b2fea1ad60f60040ab70898b4a9b3ef4e3cd4c5

SHA512
b0ab937661ef42d3366cb3856eb9eab166cf9f9704dac7b3cb659c068857c9a4cccdee626b19931e24a7194a12122e42d471f32b425b358d98007b77af1edb15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
947528be1f5f23fe4ce8570b2c3dc8e0

SHA1
8729925b0c877907e3437d05debed113e396207a

SHA256
05938a671e748da60157fbe09e024d745c774a14668f0119e27f08fdffc25521

SHA512
9643805bbcfcb02bd258acd91fdfea1eab63f0e068b751a7bd9f9e923c4c90b2c65dfd631779e874812a1530c065034e2f04598a1d2205752c39ae41a3e71a27

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6afdfaee6541c8e10e6049322d0a6995

SHA1
1d18c7f5fe74c4cd99fb817af8adc7e20ab0757c

SHA256
3d2b8aac5a66d5ad43788bbe550879dde84894a2482541ba1fa22943cdfe4d36

SHA512
4aa6814949a802afe71773aa664b57b9336ab336093265446f169f113b0e885a6faf75e0b91c8ea8f28c26041a888813ad9fdad6afd79952c80c437b296ebda3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
af16919e304d9f9e9f3486df8d24ab10

SHA1
b35987a7036ba85f402bc9b7f2e93587ea4e52c7

SHA256
ebd1a123ca82b8f28e3f8821b4c7e929845377e298e6773dac8a86386b942b0b

SHA512
68a0b8b9bf469437eaba0a1f9e1942772291be15dee185d764377145d5fe1c79b305e939b118c6d4afafea703b2799fef4e15080e3cde82cde46d96c83f68563

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c9b868a3e215d577fe72666ffd087991

SHA1
6cc389aba157821f38d22f90cc7b39611dfa6061

SHA256
1feecb870acb2e4226821eb21b1e427fb57580d7d85823276522e072b3a8b2e1

SHA512
908f3e6db627b671a9b3045bb55c76aab9a0063815f09a839aa705e0ba3049b4aed58b63f50dd3d04c51d3ab136ef1a896e498ff41bb7b42514669c34c7f75d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c8357ac8e1982d096ac80f55ba87e288

SHA1
45238607fe52061f5db1809908f5630cf39b83f6

SHA256
de64f8397b3ebc7859968e0e4deeebb6e96075214f49f693e851aba0f6fc1a7f

SHA512
4c9dc9f51670b92b68ca002618e8a7d0a574c2568d0fcb17a8e38e5e7fc8ff635b9e21d373ab124f33acb47c63fbc5a4a10fa64283f57bd71b3739fbd705bfad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4f3ecd35d44cb0f796aee0af5cf3f593

SHA1
759258fc4b24f42b552ec0304983a2c4c693820d

SHA256
068f6f69cb4f66fa295ba5552035a936f8c77ab868e7a62c8fbbcd7f32d83cb9

SHA512
06a5423c0849e787b6bae691abc9ebb9c7c88e9a106025956c72273550da1a1e4cb730a09321bc81dcbf069d9c281e51516dac4ce610008cc9adc4e431dff9c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7bcbc5ffdd0045cd4d51fb4075f84d2c

SHA1
000970c6e65f90553b9e6cb1660e0ac8562a9360

SHA256
bab6413efd8c0adca5fe351e597678fdf6db8bfd74c3c878ebca953d8be72dd0

SHA512
71e47f88bdb6830e3076de1f46e3acde9b352d43a8fbd8742ba223fae8b4e700ddf4311d7c07ef13a2b162e98b2c5460e738943b47b3a1a9475bd7c4e5e96301

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e21723aadf189352c283b0d033658cdf

SHA1
b45345f093d4175e5a693ca55a81763f87d39cc3

SHA256
4689a508618feb0e117320e89d537ad0426ea8de74d0e41167b2df9ac2cc9b87

SHA512
229140ca54be58619c9aa6d8e8a7431563f6f18d6babf3f433189f35e70b056fd0424e88425051f9d5623c5b87765e4373f25c896b9382421d8caefc04b0390a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8d69a76cb7cfb4ddffa23bdac177a715

SHA1
0071cc42591d4cfff8c6ba7cd30d33b075172547

SHA256
91bd82d918e6b497ae48a38d0d917c2e810e852ba2ef03b98e991bc1680d0f98

SHA512
eb18277a6d18e1c0569f162f8848a20778b6b1d645a517f153836469e57488173a0238603af7257e882decfdb086dd35970692c6cab73927ccecb61110ab60ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
978cbd4228a3afeb1dde8c4c0388823e

SHA1
6abbac5e5c3ffec46ea513edf3d65373f6b7c4d6

SHA256
9749217875a4fe1cc296b3ca299bb5ed88d77182b645d52e234069ba1ca42856

SHA512
3c2a7b9cea4bda176bc80369af037866534f7a9c3c08eaff4dc4973f898fb7af2adb46e2d5648e9e04ed77d149ea971c1b5a7efa4424530bea53096aa937a631

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
41cbce7fcfef4946ff4d4ac5ddd7f3a4

SHA1
dba5eb3706e1c5b47a26cd0dc0b5a7aef9ee40ca

SHA256
32efac89b4d6a5c7799370312cd0e61a6b91b7e7abfe5a826712ddd961f8a721

SHA512
44962b99ac3bb25c1da282277fe68312f3c7c5ff12005b7677f835b5e0de7bd9bf095ea6f4fa0eead60d5081e7b71c0b0bac660a6fc1da47c8312db5f4c825b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
ad4999c0ec8d6ef472120e2d801403ef

SHA1
b8c1eb0936c1c725ad2e49d4b3356dea99b63d63

SHA256
e051c5f58cf720a39cc2a3b9a4b8046097cfe7abf76a263e330cdfdbe7f78fce

SHA512
c226b8e6e16dd9ce8f0cfe7f429672f6a4171f80e4595f6957c8990d5ab215c8d6a01cd532ab73d1245d1b3c95297cf4a16167ae27639d2a454774414b3d3731

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ee889d0b3dee68b9b4daddc549def483

SHA1
5936ee614fb4f72e98d314ead843d405cf96cc88

SHA256
b0e98112487f1572a0d6de77c3657c49d953b69235a0946fd55665117dbecb42

SHA512
883fef7afcdc50c12f155add756045b974b6cb139ec1a703eec45bc8c7e05ad95d8bd6e931a86af2a7b2e6bbcd06f4c151ea71223a752b4fb7285cfc90df26ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
23e6faa112f86f588be6ee08fc4f405a

SHA1
228477d97913acd42ebb5295b9dc8e2ca743bff3

SHA256
02caf75e8ab9125b27e2bee63d99d06b77236bd6698d31c5e13d3491f204c01c

SHA512
eb7ad9b23a8a17675e3b258de5e5d21ed42248bf39fd1dc24baef091850bde9f2b9aec8dcadbb4cf92eaea960e64ddb3dd5bda66f41ffb84ec5d19063095f4c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
27aa980bc9cad9500792c4b14f47abc2

SHA1
04eb8534180c09d15156e8095a75bc64078fecb0

SHA256
35e973d28f7699c9b279bc10a6c1d0dafd82c40730ba1acdc2ae8e953aca4163

SHA512
39359bc16334f1904eb459fc5d8a6f249ca424f01dd2a678437ad2f00d5da7a293933d4aed01c1e77ffe013dcaad59c771c2310737aafc9742651127fb2d14df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
7fbe83c27fef7a8d8ce4ca87700895cf

SHA1
096ea9d7158572b828cece7ff5e1ef23a8e4f3fb

SHA256
0bd514a4b87cdd80d73650a697e3785513a4fa5842bd520ac0a29e24045856ed

SHA512
518d28430779efb09000aa0f0493489b9d19196e20adbc1706307628d439a70056d32b8899087a21541fa866096b2fa6e88def1136b7d3035ac4cc62e471e948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
85f40d656d9fcf914d0969e1f9d0bbcb

SHA1
99dba8968788604d6624e937c38855b52b944bec

SHA256
ae552a3903d7a8e15a7201f06e20605ae3aad65e6355096c826cea0f55257926

SHA512
f5da943e7a486f9e04f8e893814a1f702d83fb0c5e80fd25513b8d0f71325d2d644cba9b0c2ebbd9aedd757c81b8e21f325e927a8bfe6c086c4993c725f5b5eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af9050b251d5a2d08a766b87881f9521

SHA1
1f9c19aa5f52adb68dd81a1a6c9d9fbdd472476f

SHA256
14c52667f6346c777b04b6b6171a34420d451ee5ed3b62b35d520ac456d9363d

SHA512
674b73211464599dfbcafd49e2835b582c7eafe520cc3e226b85c1af67c89f7d1ec0148c1339b1ec6004eb33ea75e0263046375026efe7976b3297c314b8a785

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9fd3755a8b1bf98eb141b7d095a38154

SHA1
184968d9f34f55a542d9572248d7f666a27a8fbf

SHA256
f22b47ba5ee377fc447ae95c67a2872001fa64d21504651175b9ba925434c8c0

SHA512
a33ee8cd847ef9823af173159bbbfe93ad469598cb5ab6d7064ac52d389598aae0157ce8d9318234354006e839b4de0d79ea4573ab1580322d920dda3f2fdaa9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5b1aff90decace36c83a99a011b4936a

SHA1
3268207ed5d1ca591df0720fc8532a8b2136b75c

SHA256
5a24f9ce973da809179b54163d5ee0b4039b647bbd02319084b116af7ea1293e

SHA512
365a74a7086ca6b2ee7b72b4c11b5e7016496491d4ed3f741b2ef660d5775c5a327f6e87dd801fcdf660998978259a0fefde770efdfaca9138c561b7daa9927b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
8024898adc79034038ae80f625c9329a

SHA1
9abe400f89c9d7553d197ab5f447454b5cf6b398

SHA256
483b170c9af85f6025885412a7e384277824ec6432ceaedb1187484edd8ed0d1

SHA512
31b6823d1f5a636c18246eb35fd950c2414965bb7e8a5dc386fc30ac1e6d053ebf2b3d77de725b43c9fbff637e1d97e17d2b7f870ba4e9fe5dbe9678b338c69b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0722e49ab32912de95415580626a484f

SHA1
a67aad01e3351af53e923cb725ebf592f64041e2

SHA256
db78545cabe4d68e2c5323384db4e05dd276c441f296fa8eeb766230dd79b0ae

SHA512
78deb82d617f4c5dd34bdcf5447b5d0e066122c46b299938a6ace6f93ce9d60c3601bdb1ebe981e54a9677ea36c2019ae793b59837a552fc8ce84386440283c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
156cfdb780b459daa741659a7c58d2fa

SHA1
e4261741f0bfdceba7b1690def67127c3ef8ec3e

SHA256
e27eeefb974af94e6305783fdcc86bb3890c3d28fe74728976306db521397354

SHA512
f640fd623d920fe3434c1e2aefe900fa11e8d9bbc3480f6ba5937264f570135d181ef663b7d9ac8da946abe75b2f7594d7c2f9abaee9aa0482c1a70009564f3b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
eac1251465fe4d90a8aa601c0eaf06c8

SHA1
60e74dc1b09d9b4a56264a0043a176f497c6a6bd

SHA256
90b900685afc7acdfaaa7e74d60a28405062e1554890d65f25fcbd33a2054bf8

SHA512
63f385eda5d47d01e7b1e4364f2b32ad7beb31f7fc1505d70ca74ecbc2af9fadce0400793188a5936c9d993b55befeb7c835aecc55d2fe29200b9b5e1c96d8bf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0bea8b9172c29c60df77602eff54f21c

SHA1
ddaeca2e6873420ab747d438610010a12c89d7d0

SHA256
8b996a335f7ef9b3534aeacc1b0641e0853bfcf564b8dc7de8713872bc2117dd

SHA512
1517b5af4d4b26cd018e6487d4dbe300016e1e17018c727040bcb28db169e9a28fc0d7a5701b333c6b80cf18535c9453c819f46041e69d017f29e7f34d3901c3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f36e674787dfa97a6d10eee30e89a9e4

SHA1
a4ac69958515af1efca14d28548a36f74ab8f7ab

SHA256
fbe9c1ad04924afeb8ac87415c31c90d0fbd327c5a7472ba025273fc73366b30

SHA512
9a30448d9d6f705981f36b9f0487285f241db0cae6151d3f91fc11a03843fa7d18a7eca4be8ff81baf517705f5e57b132523605eec591bd7259fe704f8ab0558

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b35e42f393bd5580f76adf9f3bca668e

SHA1
087fba373c284e1bf67af917785d0bbf078c2856

SHA256
e20b9882bd0ef023c03380b4a55a18ee6bdcd8e266bc2afce622ec48a83f6cc6

SHA512
689217d541fbe771d1584bcaab4206f71489512a6550d39231621613129b6979f6b1ea22fb7f010af00512755a6f9d403ab0420611dd24523526336dbdded136

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6eacfaea3a231bb8fdb75926b6fc65fc

SHA1
6ae304eeed2bd379e41afb1cd63d68561567e81b

SHA256
041138cfc5a0c9dab66ce67f443cb6561f455275bea96630233e0d6293acdd2f

SHA512
1246a44ffc0739a8230280e1ea3e17fa96f0d6a430a21207dd4161a1c52a316e80df6e3f3094a8e8e6f166b90fb75572719c3320bf00ea76cd1e3807a76148cd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
690c94f8cc82e135ae55a843bf38dd63

SHA1
8330c17a43edf94cfce9681b2eb203dff8f71f1b

SHA256
2925163e494567b63d5f73b9b8e4907ec3d9c82c2770449b29599746b62e0ceb

SHA512
a9c91070fa38607e25eedbfe6c4d2ad5691dbfeb8e312dfa28424fa050a954d728f6c49090c240d9f1cf1f7bbc3e48cea5a4f3926a03807404013359822af997

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ae18e720576076942c71916802235a79

SHA1
93993bdee23fb3fb1b3b4233efcd294ed4a00c75

SHA256
03309f4c319a3a698ffc5b7f2cc73be6c9245b171fafd07219d679cff80e4763

SHA512
08c407b9028d0cce8e1637d76fabd48fba3deed8904d837d48558ab352a3347bbc6238c4ec2d7eb6eb56c5562b19280c9447c3194257a8b5046781f0aaefd638

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
61520d7e695436b97ca0468b6db0bcaf

SHA1
e5375ff1a81eb1109027af16fead9d6609f96525

SHA256
1979fcbff18c0f64852323e8879bbcb385b728243b8640ca88eb9b3333608ea5

SHA512
559b28dec322a88cf6e41629eb7078ec245807374804063646670e7207ce6bbee41687762db4be3b66dfa7ddcfa929ceb32db6c54bbbf4b6b67aa1b50010d330

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a069c3d1c2edefebccc149b60094627d

SHA1
666f70726d1fcd961dd9d5af99a0ca7c1419093f

SHA256
e6c2d191fa820186f64e2bc4d9e47a874fcfe488aa50acab923b3080b527469a

SHA512
eb6818708e30469651335fcb3f9ada6a09152897cb1eea47bc79a11ed9cd8fdc5cf0e5deb275dc27391ae7e445e44c3e224d4b410be6908a84d7bfafe4367605

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
38f19a53bf86b49ae5220decb4d08dff

SHA1
b4466ff1e4bb98f5182fe15a684806776d5c6a93

SHA256
a853933ae3966649ffa26ffbee4f15a09b7c7513f6b532834079cb075d3a947b

SHA512
4d8aeed0bd644a48bac5bac800ec5beacc06c9e9a431397299d702c22a1f4019c1321af2370a454f9df66cc88ec8fbc68534f571fdca9c615d5a73d0896f7579

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6a8b60cb37bbbfb2d22694defff5d906

SHA1
513d17fca13e4c6202183d275a295a217291f8bc

SHA256
7ddd5ee555aaf315a058e46d9375da4f1bf9824940979ae8bd9f9335c72fe606

SHA512
99df4a54de122c4d07a6acc6cf281968ed02f05f617d8de7ddc141405bab0cbba8381445e76caab1334714e2624d881ec1852576560b6b6ebf62685928b50234

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
255e66b237984c6249bec594706adb8e

SHA1
ab2795ebc6077fd92e9e30e3eb2446bfb22491a6

SHA256
44f7c221bee6f950abad01e731fefaa773285f138f8dc2963d4df223af056467

SHA512
3f89422ff15665ec369c7206c2eea1400fc517eb13d0a309fa8fa62c39e7356b6c0091ee5e2e86f192465af382a0b79320c475f5b4c3257e0df7e1f8553c9176

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7597178d3f1784c13fa6b4b07d772745

SHA1
bec22d377e26c34a108aa99703480ce58500cb64

SHA256
2005d767d60998108847ca98177a672cd9cc5a4d44253cdd2c2c4f6d370de69b

SHA512
ce1b4b5ea896d18cd4e919b01aa63dfa4ee759ec1db17f83ac27f8c387ac39c01d27cd040653adfd442ba94fb202f14a07e5f534ce0f43de4cd3a38e03f5db1c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e3d700bd06a594eafe9d667df70fa69f

SHA1
d6cbcf66880b0c1a93b10abb81c0ff84ec76fafd

SHA256
8e7ecfcac17d0cfdebf44e51a377e7211893c2f93d336913dd1515ad0edde911

SHA512
8df83afece3aa9fa842e3e1957f5c78ced7d9aef82844d24771367d16bb36e645621bcb7ce89082551f78fe6005c4d1360e10c40f08595de31506b00cc740bf8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d7c7315839bacdb4d9511e8d0af40b2c

SHA1
35d7e391a847d92e8932b2d739d63edf47ce170f

SHA256
1342cf225346a611cc37ffcd8182dd7858f73768375a150224c021865e4a75f1

SHA512
c530dfecf36ef46978a0aa07839cf1e824135d6ba574c9230f56c968abde8b1a6a2b4d20de725f184e0c35f0849ce73f6530d5389417abb341cd6b84c7ba744d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8318e208ac4f8e35fb48fbdb944581d0

SHA1
0fabe518d388a287aebd64c99f609bcd15edd35e

SHA256
8e163aaa4cde38c67055d23b31bdff58e6844f2d3c18b2d4357c232cf3ab0b75

SHA512
e2644212aa9c54174cfb300d7e7d4ffef2133e83cb2eaabc3c806de6e247b109ee53bbad2d48b6af032b7a03956e558191581f17dddef0365691534bc98d9930

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fc47847217cc9f26edd1912b21d00268

SHA1
7ddc532cc6658b37963b9375ab21853bc4517673

SHA256
e576a2cfb856996aaf26a4f6969181d873991f6c6bfe72c46a10ceb01c17876f

SHA512
ff4ae7fabfede9fadfe606f5e91141d3298db5e2b75d8cd74a7b00397b992b61c4d467f70f41949eb4ed830b1059f89ac74d04a7f5ae1476ae9e334f3a4ae3d3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b378b519dc144239bf25ded21cefc79e

SHA1
bb6c40d09d24b61fd8f902eeb6b2046c7eaf8b74

SHA256
579b790ce1bfdd29073fb144a8d2721659072a9839c556011bdfb38b63a69a49

SHA512
b1465157d158a95d49cd515e24105bedca655a35f6b3187a9e918704f9a8afc2dabf343db1e97d5d69bf61210bce6b4dc454e350c2dfb73cdc196b1089714365

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
106d80d936cd6976440bb7d953414cac

SHA1
f4b7dcef7f99a414fec10bab1824404058c00367

SHA256
64909d2da3ef8e781e0a5e1b1936c4d2954f689b1106cec1fb51aa4061ac9783

SHA512
6ad5e40f1bd57e8b685102f99f6b7216eb9ed97f856048a0c9e41b195fe967822dc8b996c2b37d40c88961383d3a0866465c1bdb2538cc536018354ad9b4a920

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0492f7d68ad9bee2abefbb4efd2e63cc

SHA1
a7f589d12bd5974f5a816bcf4b8e1a69f5f7b875

SHA256
814db0144d1de2231d8389718565cb628b3439187f8a02dfd3de0a1bf25672db

SHA512
892ee3f94f260c96a7bbad7f7308df5615594c4a05fa7303ce83079d6c4a5bd5a73f732f02cc6643e0100a25ca7a12c14c74d9f0c6b2e511b24b0d7b89b2f402

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
50aa61832acfce6df5100828b3968b2d

SHA1
009a4afafe0f5d2af35f26d0939183962ff7d9ae

SHA256
ddcf09e3ed7531a1abf446da177e596ab50c7dcfc639d2db9b5e0151a8ae5a05

SHA512
4560c7055363924531db7b6eb25b0f0e5145f2fd852477737f86d7f98cff21ebec47ce094563946ab15b1ab253c5b7b5813e289c39940d8a60b943523ae8291c

Download Submit
memory/684-264-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/684-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/684-50-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/684-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/872-520-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/872-115-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1388-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1388-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-462-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download
memory/1464-109-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download
memory/1464-93-0x0000000001CB0000-0x0000000001D17000-memory.dmp

Filesize
412KB

Download
memory/1596-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1596-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1596-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1596-281-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1684-178-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1684-583-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1772-250-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1772-661-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1772-683-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1912-523-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2248-282-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2248-713-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2712-265-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2712-679-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2756-0-0x0000000001F40000-0x0000000001FA7000-memory.dmp

Filesize
412KB

Download
memory/2756-7-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download
memory/2756-64-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download
memory/2756-5-0x0000000001F40000-0x0000000001FA7000-memory.dmp

Filesize
412KB

Download
memory/2756-58-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download
memory/3172-336-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3288-20-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3288-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3288-114-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3288-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3616-297-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4116-519-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4136-570-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4136-155-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4596-190-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4596-623-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4604-566-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4604-141-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4804-112-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4804-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4804-90-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4804-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4888-33-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4888-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4888-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4892-518-0x0000000000400000-0x0000000001BD7000-memory.dmp

Filesize
23.8MB

Download