76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
Size

4.2MB
MD5

abc71afce20361e6adb58586902680bd
SHA1

31a7932bbd23c00600418329fe700b9549578173
SHA256

2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a
SHA512

8b2ac77de848c034a945ca974f74494604c0f75db78bda93770899e707d7545ceae2c2caa40146e9c4f2cbf32a069706f435a4279e0787e909cb19f6ed2465ee
SSDEEP

98304:jgcsAaZKipxGeoD+LTziBJYfl7Yh7wRGpj3:aPPeD9Yfl7cF9

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
3080	alg.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
1168	fxssvc.exe
3888	elevation_service.exe
2024	elevation_service.exe
4516	maintenanceservice.exe
4324	msdtc.exe
3712	OSE.EXE
2932	PerceptionSimulationService.exe
2952	perfhost.exe
3448	locator.exe
4844	SensorDataService.exe
1556	snmptrap.exe
3404	spectrum.exe
1736	ssh-agent.exe
3560	TieringEngineService.exe
1744	AgentService.exe
1776	vds.exe
2628	vssvc.exe
1304	wbengine.exe
3848	WmiApSrv.exe
4584	SearchIndexer.exe
4980	msiexec.exe
3396	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\K:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\T:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\V:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\E:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\H:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\m:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\O:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\p:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\F:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\L:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\M:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\y:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\Z:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\h:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\i:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\o:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\Q:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\R:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\s:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\x:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\z:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\k:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\N:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\j:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\l:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\n:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\t:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\w:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\X:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\D:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\e:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\r:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\v:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\W:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\Y:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\g:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\I:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\P:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\S:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\u:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\U:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\G:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened (read-only)	\??\q:	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
3504	bcdedit.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c336e0f99262766.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\locator.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\System32\alg.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\System32\vds.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005008faa36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004316c4a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e300efa26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000047261a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d3747a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aeb964a26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007259caa36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caca77a26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e6cdda36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000024133a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b27b88a26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
3888	elevation_service.exe
3888	elevation_service.exe
3888	elevation_service.exe
3888	elevation_service.exe
3888	elevation_service.exe
3888	elevation_service.exe
3888	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
Token: SeShutdownPrivilege	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
Token: SeAuditPrivilege	1168	fxssvc.exe
Token: SeRestorePrivilege	3560	TieringEngineService.exe
Token: SeManageVolumePrivilege	3560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1744	AgentService.exe
Token: SeBackupPrivilege	2628	vssvc.exe
Token: SeRestorePrivilege	2628	vssvc.exe
Token: SeAuditPrivilege	2628	vssvc.exe
Token: SeBackupPrivilege	1304	wbengine.exe
Token: SeRestorePrivilege	1304	wbengine.exe
Token: SeSecurityPrivilege	1304	wbengine.exe
Token: 33	4584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4584	SearchIndexer.exe
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	3396	msiexec.exe
Token: SeCreateTokenPrivilege	4980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4980	msiexec.exe
Token: SeLockMemoryPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeMachineAccountPrivilege	4980	msiexec.exe
Token: SeTcbPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	4980	msiexec.exe
Token: SeTakeOwnershipPrivilege	4980	msiexec.exe
Token: SeLoadDriverPrivilege	4980	msiexec.exe
Token: SeSystemProfilePrivilege	4980	msiexec.exe
Token: SeSystemtimePrivilege	4980	msiexec.exe
Token: SeProfSingleProcessPrivilege	4980	msiexec.exe
Token: SeIncBasePriorityPrivilege	4980	msiexec.exe
Token: SeCreatePagefilePrivilege	4980	msiexec.exe
Token: SeCreatePermanentPrivilege	4980	msiexec.exe
Token: SeBackupPrivilege	4980	msiexec.exe
Token: SeRestorePrivilege	4980	msiexec.exe
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeDebugPrivilege	4980	msiexec.exe
Token: SeAuditPrivilege	4980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4980	msiexec.exe
Token: SeChangeNotifyPrivilege	4980	msiexec.exe
Token: SeRemoteShutdownPrivilege	4980	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4980	msiexec.exe
4980	msiexec.exe
4980	msiexec.exe
4980	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 876	4584	SearchIndexer.exe	107
PID 4584 wrote to memory of 876	4584	SearchIndexer.exe	107
PID 4584 wrote to memory of 768	4584	SearchIndexer.exe	108
PID 4584 wrote to memory of 768	4584	SearchIndexer.exe	108
PID 2652 wrote to memory of 4980	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe	109
PID 2652 wrote to memory of 4980	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe	109
PID 2652 wrote to memory of 3504	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe	118
PID 2652 wrote to memory of 3504	2652	2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe
"C:\Users\Admin\AppData\Local\Temp\2754574ba546bfe49fc852b87cf85e2fca988b0cff0394abe08e9e4dc934d86a.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SYSTEM32\msiexec.exe
  msiexec /x /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4980
- C:\Windows\SYSTEM32\bcdedit.exe
  "bcdedit.exe" /enum all
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7afe1bd8e808ad44e269376f2cbe534f

SHA1
678d4407f768820750d0a818c13706101a0a5cad

SHA256
d810f4c61d33e50960565d785544bc62ae0323da79169814953c5c364d55d8a7

SHA512
c661d7e56139db4d38fff40b1a13105f3fa08144d43e88a1baa3863ff4ef6bbe4a1cb9f2221f7205e05bcafa87536435606422512bb4c8cfe41eba978e3f8a3b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5cf5bfd66cfe6cd9e75e564b05ffdd58

SHA1
cd0b8e8577de4cb8f78a3be745cf01156266668f

SHA256
4337895ad53bb9aecb0afc7c98d12ba9f0248d17bab930d47b9aefea06443206

SHA512
5747d593c1b67cf7902a75d269b2ec6fc4b77d926f361404021dc445370f70fe14bc55de67060dd31c2200b6132b0f83335336c51c76428adde9776c1e8af198

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
6a96e00fcf906d0f6ecf691c793f9abd

SHA1
f1656a441068a4cd64cf63bc9ab9692f9c7d980a

SHA256
6fa53e06d510f68245283c98eeb6f90a378bbae1bdf17ba1bb1ff3a438bec014

SHA512
60ef94541c5f80049361306eb1b4806f8b19951122e548b9768c57d9541f0d9fbda0909e9a99757b09b99d568f6446df6cb8228314b85b00db0477d2f1fc808a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
475e7c27d5501b56350ee18bd2a29ac7

SHA1
962edca7cff1b16f89022fa946d57c700ce9f593

SHA256
e3e1959ef322482863819088dbce8780f26c46019499d8ad31e89bbe401817bf

SHA512
bc4fc4b14816cd7e75ff2166481a0ea27c57ad3ff54d19e12def788c1e679a04a2eee3454be4d7f51b9877a99491506bcb08f4a813cea09df2b98740b7d68b1c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
108d7bc6c43363ea79a05f45151a38dd

SHA1
22a9b618ef79dfa841217ce5b76f7ffbba0f8a1b

SHA256
7f7e80797d5aba22a1d61147841af3ae165730def751a1cdd0eb98b0b47306f8

SHA512
513ab557407666de388216884d208f5673c8493d2f00f532bacd0a601a81065727a967cde6940b7ca6c99af8f2cb7af6afce8c60723fb2e127e0734ba2abe0b9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2e954a7496e69d6b3da087f0c636ec52

SHA1
b5bd09670e78e812898e20db3f55d77ada367927

SHA256
fbbeba47c6ea595b718ac555fe197f0de062b9f56f003fa2285ad2dddf0c4508

SHA512
168a3c32409bc933f78535010cd1481a61b140109b24cb82e7aaff2aa3bb26a061134c1ed038419eb58620da9a1149d1013d3bcebf3fea3feacf1d98b9eea34a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4cdf4fc9096db846923900f0a102c09b

SHA1
15465c431ff889fd94aff8623919b447eaf2949a

SHA256
d1388ace189de7cd538c5a40b6a6b30ef833742278d80970da6968db086b4002

SHA512
dbd73de5f7991e002436ddfe9e8a5931a1586090e2f19098ff86469696d90e13d232604c9582f5cc5391492d68e0eca95ec6c0c4b449ade7fba55bfc8b09a839

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
56611504b18c047779578814bcf60d8a

SHA1
4d4af8c73fc5e42bcf4671b736ac589b856b3da1

SHA256
f6bbbedab426a03dd81e988abccf0ac54dcad3a3b4e6a8f400eaeb3e72fec739

SHA512
4597e745e4c2b5531c7616aefe13b102e4f1f784d05f5056331d0dabe8dc4ed021a0c098900dd840d74b9a9b20313bf9455be162941e508a84f3547be12cc790

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
0a10575917bb3b194863bc962c37de3b

SHA1
a6b4fc34cde4ebfae61b6bf012a9eb6a2a238c57

SHA256
dbd92136c64386dcd9908c88d787e43a8aa37707113a0090cb6555f9abdfb380

SHA512
9900f9ec965c395dba81516664aeabab5ae7bb738e4ea233f138de6dcd72db7e869f117b1c1332dac7fd626316b148e729688474810a8457f3b1105e341d7628

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f834bf2b1b585365395da5cafa8aeee2

SHA1
f9233f92e15a79a612eee2c9fc1b751485a33156

SHA256
964cf33d156bddaf58913d7f77c664acb2ec6ea8c0f16db0ae000273e9ba2149

SHA512
64d7ba1735ad6b155ba54c1bff59daa1bceae94a9b0d6834ab25ec536d64994407a23ab1e62516bfa6d4f0ed42b33a110cf238dee7d13fe57121cd8369c297e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fe7d33a1a9402f263216f51c5a0105e5

SHA1
b2a29ecea5c7f6e4835de49f177d404dba330f63

SHA256
6efcacd1c4442313353d6a248714911d1d52dbb4d399d6563ce624e58c1030d9

SHA512
00037fa3601e56bc84e0d56d4c2685890720e7e256e2622dbbc978d4b14ab73951eb6fc32d9e791e76cc14e6b3a178d9ff5012de86f2a307f6883df234173707

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
62af974a97fa5c2bc2616aaeebbe8025

SHA1
89ce668e4cab749ae51e7e087d8f0b5d1801f321

SHA256
0b44d842af276d2e4c9281330ae7e4faf06c925460e35014377ed37d3555c0a4

SHA512
e5da34c11ca1501b94c43381e3d1f7bdbd8d7fcba452da1cb935ed81533490114c932d706cef2395f6ef0c9a319fa0fcb8aced02178d8855ed0405b33568d451

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a72572264133de9237c00bfdb3324380

SHA1
094c998f1ae5da2518bc4baa0ec71b53e6937b30

SHA256
841ea93a1f2cf268a265a7a9d246bf4d9aa468b020d31f2ea19f999066f7e88f

SHA512
8b5aa61a303dfd1c4f5c1abb1135acb41ccd04c3ffb84253b2aeb92c45deb1f7152639d9455e07625f122de154913651c70f41aaf4101c6002c1777d1ac708be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
99bfb6471563b7e9ab1e118c4514c509

SHA1
52392c22549d89135826eb50fd39f416344f611a

SHA256
1f6ea9b99501f3ac39396000d2497a5241d226fc9019e8c8f23b23e839a83aaf

SHA512
c4711e04a77ab071e489de4dc32bfb36e03a61ed67320f1e987015148352d1a8221b5540e548ef60886d42a79ef8848c7431c7eb696599e7773340bea60be728

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
314f150da1fb2cfcd0b18eaffe4e9640

SHA1
da93e09a2978019efd76beebb03c474be35bc64c

SHA256
e9e899ee9dc1ae794c8bc985c2b792b32684a4661b464693fb7df499ad5a65ac

SHA512
31c8591a9d710e22cf08e2f172a3448e665fbeb9b093381d283abbe90a14daedc1c2b07bf5d73c60064bdc0c38b404d6ad7c3397d7cf8c1ff32517119e4ce441

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
20943cdc5feaa8294bc0e0643ffa125d

SHA1
daa2ce272d6e205885c877b7a8b3863bb433001c

SHA256
8fcf0aaaaf4a8b4b3cb5fe7a41e8255b4b0befe956ef20a11f2c5d89efcc6214

SHA512
0818f54574ce7be003cb70027cd71f96003d2f123c210b65a5a05c4d3e3680165682a3c00db1e5535df148746063eabdddde635051e45eb0b2deffb38b3a8081

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d540621e67bd71324aa454a95d1a2222

SHA1
b0c0d2c92373adba3c576ed99bcd120dd4e2c824

SHA256
3dfe61d6b1ad4d74b298734b415ac433e82a24da69d1907bde4b1a14e520c2f4

SHA512
3506b4af3ab8f6ddf4a352801e827207c4498deed0606c5c499a3bc3fead43dc674e5566ca3e4703d6a55a7344e3b82cf616a295066d3f3f143b6904548f325b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
bd2100c4395fecd6a96b73d61bf4032f

SHA1
7f87ade54428b3d8fe4c062c21cecbad3e3f4ca0

SHA256
027707cba82fde6f7986e7e742112fdae41a41b46f10f3ca798156f66863664d

SHA512
15927f2275d27a5e005c33f835bcd4a975e58d21b3d9b19cc8c8b4989cf359604b6f825b11ce7268278c7ca219f7cae0f9a0a0446b1cb1bfb82be507b2e06be1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
10ac86e63542aea69bc81362f444f4b1

SHA1
0ace881663b572bbff273050374e59c74c513953

SHA256
3506132308b861af4ebe34ac0624978fc6cda96ce36c927fbab47dcb06ebd2ec

SHA512
69b369f00e0cc248312c044787c7314d11a0be899421a28f254dec6fedbb36e6bff89bc7f9c22206205a3db4952fa3687eaa943cf448a86837e59dd252188be8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2689746c40205106cb02cc272bbff85c

SHA1
70b0dc4059cb24662b75ae61a2ab3c88183d596a

SHA256
aaf7b30a094536b2d606bbb9946d781cd27ea7fa1f505c58d4795d857a94badc

SHA512
c7cc54acad16d25f3d6e74fdfa465c2546457012b9cbd116e24e737b76eaee1c09b3fd5cc0e23cb5dcaab5dea355cd8feb7e52ce20ad79db118a0afeeec8248d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7478bf83d2f045126cce30faf3a88e65

SHA1
edf54ea500773056b49c93dd59e0376b48aafbbc

SHA256
1410eed438398d4456e20d861e9eecf2778c16dfadf8c83034df86b1ce03243f

SHA512
f9a617e9eda9f5fa4b5f9299a8c4f1f0940ec17a9a0bfecda0d16be7c563932f4da4445b8df90c45eb20222a8772bdd12a543ee03c187e2b988f47834bd5140a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cd4d885bcab914550b80dff007c56da8

SHA1
177721d04aa1d8c758c26d7278ded89940210a3f

SHA256
d1f556233c9071d540d1d0cec32d50096ce8cd4b980958c439d9c2ce9ab511e1

SHA512
45ddda46c8005c2c72ec05a919874c940d25341e573ca530960d3d30bd262ac57c188022215e095dfb85cd618d1125e38a9dad81f5835599850b9e8ecd016af0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
900b80d4d9106a290d7c6021aef5cc58

SHA1
acd4848794980e1a04797547703f103db443545b

SHA256
2e456048229780dd35de1e54c0341019603bb1518bcc481e0aa58c762dafca35

SHA512
484609de1eababcfa906dadb29cb837b079d64dc32c82b5340fd71dc4957a8be749e99ed0ca0752d4e7938d4152f486e9c2e25b37f20009f47d77154f2b210ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
bc0a54c0ee4ad1816795cbaadb43f0f7

SHA1
fe36538a9bbdbdcfd1f529346cb993adaba458fa

SHA256
7e859431c6e289cda1d56ee6ef58d85611b588f24befa87f47a47b4ce6dd4e63

SHA512
d39e6abf039997aab822a51d389f724d9c8949dee2941bb1ff38cd18d6f2515941819f42edf6173ff68e1c466a6db2ccb81fe8bc4d2ef914f5b1babd708c4d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1c2bec968e7353dcf92ee0b95b503023

SHA1
1456dfac04261ab0ca826a333122aa5186179ba2

SHA256
be0ef109c6a9ca1e99bfad1a06b4172f8db9c481bb7537c3281e6fef376142ff

SHA512
f15c3ebbe4e26ec026fc3c2ac0e3ad52c9702b7c84b76add249d251feb52889191c4c728b600ce2fe28eb74fff096b07d7f3ab76d089599807d40f831fa44ed1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2c6fa46ddf11db2d30812f8ea2b5768b

SHA1
ef0d7708e4f882711334c18aa7e1141f03260aa8

SHA256
815387ddc8aa97185862a561e190763f87d0f2725b214484b1f17d3a3b24a1cf

SHA512
07b30d19c25091a77c05715c545d014e0d6a29021b9e6728729d5c3a6d11fb3feeaabf1f7cce71e1b36dc57ae5a01bff5a5205f738c756a3c6a4596ee1bf4495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ec91bbbb76c711d5fb9959ac2cf2a797

SHA1
9b1e53166a29435317e434f2029c26416dc3730e

SHA256
1570ca17c57023aed6966df41e79c4debf50e745b39625a24040d1d797b7c5fb

SHA512
a218e20c2baf36cf13607b53671930fab43e056166a5edd5cb3d060aa2b282057987831d74d9ac1e7bd1507700b7e4d93d41619700cb5b3b57bd51395728cfd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
573253bee39ce331a9b901e506ee91dc

SHA1
fe2a819a23cadcf026aa77e8e5fd53d7dbad6f3f

SHA256
b68086f19bfee77059b16b5e3c78dbcd8484b140fc20d1f512ce0b613fb6bbc9

SHA512
15cd15611db54552027c42fbaf8087408e4451c9f351830aa84e75b5510469867cef56eb8f8fe1e5b1931ff2621ec9b767c3774133a335841dc29b5a5d30628b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5672b63a3ee1aa94302cc38454585cb4

SHA1
4c2eba4726e27ed4e338e72b1daf802f31acdc2c

SHA256
2f6591bb667eccfd765a3af4d05f422d488b21d0229767c52292aebdcc07461b

SHA512
296116237cf85fcac7f037f20b2a8ac25f9dd1929a9e0f6c915fc6a8e29093c9df6aa24348614259f3ee4d45efb077216c70006d32ceb6276c8862ca337db8e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b02e16ea030f2b18082da3e4ff13d8eb

SHA1
c74778006cc6c3138c645fc06e90eb24d229590b

SHA256
afb84e71c6d910f9665a6f40be9a3abba096f743a07abd783d07151b231fab72

SHA512
5492867d46fca4ccb1160a1e5c654e96ceeec9a4c386ceb6b1d2f58c1f332db29e78166087bbd2553c7f39e098e1f3ec5750e55b229ae93ad4197f7fcf486e41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
5c6be9d068f49557d3684f02ac38dbe8

SHA1
73e6c3b0f0cecca5c70783d2583937f9f1e1f36f

SHA256
87d15da8e933b0618ba5462085184f454c50089b6c63a7b55e7992c5167ddbd2

SHA512
5bbd6cc54f528277981601eb2d53a137e3f05f2c185d51c982206dd18bb9402c5b61975da4cd048153a2ff643047c83a3bce33db51b42d4cc3720c53d27dbcd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f0a85610432e25f24ae331938745c960

SHA1
7ebd9f1463da05511c6a5835d94e820cdd8f5037

SHA256
9e5cc655fae537696030f4da685b9b3306beea2691b239258aaec4d9a1de0787

SHA512
4bef9be6f5f828adc56812004865b1366c7fa7e27d82e0e0796d1d394074105542c5781ae7e4cf26bfc9a83ca3c41512ac857e8960f4d8a6843b07b64700f6d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
aea31f4b7676ecab055187b1cb4406f4

SHA1
a4df462c8f552e8e31c48f4d45353e83dd278b6d

SHA256
36dfccde84417e4aa2c901e5651fb7fa795d2d730bc38ed355523b429df72f8e

SHA512
ce9a53f4b74f4558c299fa14fb46fd2d1c8f4c97943e2beb37315fbd116fe78b9ab6829209560f6cf71c938a4c6bdc5cec6e61992353d30a0a7f520e50653da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
cf234050f5fb232593878d7a6fbf7458

SHA1
91d9edd78564dea4641139130819a0f3e2edc080

SHA256
7be9bf7838716595db330fd0a801d3217ee43ddf228fdde53496657885324162

SHA512
86f7369f00a79b93779ae1f1a9dd4d2e21b74b3a99328b1a8dc545d00958ab304eff7a650806048a2f4886f28bc45866f44d3c11b4fabb56b322ca2a02d4676f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3d98cb51b92cb754590d88f7bb345f37

SHA1
5260e221257cc4d9e9ba2e97f6107aaaaf21224b

SHA256
f9d263d0fc30a6b2db7724dd55f2aebb0905c06f7ce606dfb83ea70fc8ff21d8

SHA512
1cc46869595e17b623735dd09c0a1868718f92433ac8726285abc262260436ae6753ab792f0ecb9725a6a9e554d2a35de17f2f99476b65021206eb90b3a0648d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
48b6dc2685942a483ee299d0a19e3708

SHA1
0ff5f89b025df84f8ce37cb0b97ea1a33144f553

SHA256
724c47b4cde2caad2a4d8af94f3dc472db1bdbe466c2ce7715358704c3266b52

SHA512
00e9b3560d200cc53f638945249a36385c0cc7edc52b6c17c853b0fb6b1fcb580cce25d7aa6cb145f74db590c9a56a1ca721524e7a30c558c1bc210422b58755

Download Submit
C:\Windows\SYSTEM32\msiexec.exe

Filesize
1.3MB

MD5
8e95dd48880af1c6fe22e80012431969

SHA1
65d78c80cb6158bc0073c7a685048d9e227f78c8

SHA256
3fafa0f0d7a38023940fd6505704678bfe25936c727a131da82b8a3a4727b04c

SHA512
caeade06b6cdb2dc7f8dd966d1d184d66a842ec9d24ab4e8fbd566004183470838a8f79cc5965ceb7ae7f97867f14cb62fa8882e45d1b674d1383f024afcbafe

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6cbb75f54f43c8e88a385ee4b01887fe

SHA1
21abcaaebb0f3b32deea1285be4f42b7fddb5540

SHA256
087ad2ea00a5c255329f1bc380148404056d972f2ad8abb90301001351b87280

SHA512
138ad3bebdcc3cb43a279fd6fda9feecdd4eaf5169f74033efda62bbe3b8482d28025c234e7988e88c043b05cf96eae8dfe9f6e49e5b60292283f01be41725b2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ebef01e8e0d2054c5fc29b4f63618ef5

SHA1
59a78760bc2e3abde4cbef71423f3e2d0d0c4b2f

SHA256
7fe4f9bc1d6288a6646ebfd59b0c13b3b0a7db2d429e6549e77b2ff464388306

SHA512
a19ed2f1dc14e043f7b22793e27c75ccbe6f2604af7fd4e0ad9697df5043ef7d8f1f2cf532fccbdafda83abaa194b6c83fc1cd20a889f3c08384ae6a37aa5fc2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
19634fb41b869ab7cc002b908ce5ecfd

SHA1
41adc36cde14eb497c4101ae9749d5fc5cecdd04

SHA256
213e09cb6ca249d037390868b0615071959d27845ea3050466fd389c4b39f3ca

SHA512
97dfbfd156836961efd33aa20bb85e6c0888a3c86b8e3a0ac098d9ccc4eb95ced98356a1370caed08fda77563abbf8af36efab4c1c474d919cf09d80dd6352d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
915f281eda8b651333750d4abffc074d

SHA1
25d58a5d160999a9e20cf263f55eeae6667d60f6

SHA256
e3b8ec82ea50bdc9556932820ed69276ce71c8affdfc25b137e3692605077d2d

SHA512
0d7ca3eb3139512d5230229e52e278e2a21b6faf8bad25050d1ffbb8906c97e10b9e1b051b6b12b138b482e45281db5b351b148fd147a352530b2de9a15fab68

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1a9356a648f555ddefadba22bdcc278a

SHA1
420e4a128e4ae1d208c3312ee9e451aa19abf78a

SHA256
5279317bdf75bf4643364b0f4af8dbc475dc0d01bcd261ab1e8c75459f62249a

SHA512
4d8301fdebed90945fa11f53504c288654a4c1e0871d56837068ba83e4f7c856ba01c5f240ed6de04a6abb9531003b2d3d7bf4c46ef5fadeee0ed008105abe56

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f1f66b04114214ed5bb93479a85be5b6

SHA1
b4620d98b29d6579a8c49106edcd0dea3b79e2f4

SHA256
22ddd21cd1059aacb924d8d8fac6d3328a3754fc1d3f87e0d023db2ddaabad9e

SHA512
3ecb760e5c208dec4ac3aa3a7b8cd1239e7b03822d10fb13b4692195049fc381f7928760aecebc439a5ca23493297e0b6a986537ddc4a0f27f454707cdf26ab1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
28fece717cd711ff8cf386eb8797ce14

SHA1
9278f2723f7b52df6616aa1f83917927c5ad47a4

SHA256
6dd5622154a92f32a4e312db4c64283150e9058d14739923d8335d215f664eee

SHA512
8bfda2bde138779fdfca0ff71430a87e19c7547ec9dbc4e33d09e8d1470aab6529044afe35c58608a0cf2bc447b454bab002cd5f32a2b9a6648945fd2ebfd087

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c40be3c4333a28d4447de2810b919663

SHA1
1083c21188a2155295b957d81d31bb23e6e8587a

SHA256
d3dfcd08ab9235667f76fee3fe17d3999189245c9758bccaf714ef670f564ab6

SHA512
407e480a1eedee7350c62a64f907165360b182168dc3b84227631cac7e1bff63c0c0bbcf041774caf4e7146502794f14c4faeadb3c0abf224c23a2b6ab496af9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
abb9db89545e7e002f797b115b6c3054

SHA1
464d2df090dd3d6018a9780ab12c640ce7c9f1ef

SHA256
4a89990dce159141041a90af8c2f0edf60c04afe5d9a35cca113b724e52f15d3

SHA512
1fa00ae801aa95c1f7b5acc356920515466049cf6f3345e1628d2cc6703c18ea62a9deee338b94ff832b85223b3eb215b4d3206d7d18ce7daa0ba99beea3b3c7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a1868c04d2116a333242d2f79922412e

SHA1
9ca1808b0a2fb66991dde7fbd93eed2676d24278

SHA256
cb386aeab90ff53193dab2e8e434cb25e6a214791939d215029c03c8de776f6c

SHA512
55cb9b84bf79c0fc5614e42cabb4b0d296d730498ea881fbdd6a68cfc58cc37bc18b8a38a725d71269be59ea67e487a3e88f687c0f6f8602c678f06e49a6d888

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
49c500116cb67c2b4ce7c312845cc8cc

SHA1
1ce6a86dc6fe0ec9b25c1ef78109147a875920b1

SHA256
a69aa086a24d50e3deafc7df6e5b610ad1804a1e7c5c9555c4b8d379ac51533c

SHA512
91911f5b33c7e66516575c07faf56ee50e413d74842c1d100dda24fc3ec35b93db01b6be15f0a678a68feef504d9f42ed26e0dd26b25b298e1df24e40eb84fc1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ddcfb4966c68cc0359eb8519240450a6

SHA1
c342d527f11b3ea3770ef929ea2ae0ffb7dada62

SHA256
cef99e4cd6ed013b457f026ddab50cba9425bc885a188a06252023a2dd2b093a

SHA512
91c121e4eaeab31b937fb8184a6f8cdcb39dde5925c743770084805961155827460192e577d4b714ce002539ee693395b79e719287b04fde5845063b14aad931

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
17860db9b1a5a59de1ccd13f20c88d64

SHA1
e7a285f312d1947efcc11e7df6112c131bbd41c2

SHA256
5bd4632a8781bde0d8d08fc8c592e3f7840457f28f2fbf6605b15edb69e53e60

SHA512
cf61211438648642fa8fbd3dbe451f9f37fb6ef9442da4e84496046cf8d583c7a09dacc13620724c5e3ff53ba2da3ee68f65ac7456f750bca8a2bb3f1773b103

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
755e7d24a76306c9434f035cd3e923e7

SHA1
9aac45dbb3ebb6dbb1efc32687dcb35e9c1dd43d

SHA256
dc428da9c06e5fa760458f578a4bc648b391b373f2ed75ce4292a1d251f89153

SHA512
fe06007b2a55c6b867cef79920b5392dd360d32087cfd23a47051c8e29f548cc581aefc1a02706fc5629d11ff1f251ce50bd6f0b4ab98af24d677e9508b64582

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4a590516996f1c46af659b3c46099707

SHA1
893881db0060b8614840339fd76f70d82ce1024b

SHA256
1efb53146a16ad56ae7768b08ba3a8ca67dad45f61cbd7122162f670569ae92b

SHA512
52b1446bfd34287a0d8ba7574043c586946bc9ed9bb0abb98ae923554d8a9cfd0a384d66c7b8c0ecfe29b82a86b225b88a921b379e3a1ef8e87abc1456a416f0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
824c89974916431b5c8f7657f200f1a0

SHA1
ab8d0daf83aa3516b8809dcf43d313aba02410cb

SHA256
27e6632fc533dda50ac1b6f7b5f1952f1354b6d1a3d8729b0c024b9b08d943ee

SHA512
9dbc0cc89a1409a05c6ec9576945331784e5dd0eda8ad9b5c9700eaf57e8ebb4be9b9c56db0c12239b88320e92dd043a396a5129de528e34da58dfcbbed5babd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f6547369629a2f6a3021bb3cbfde588d

SHA1
1ae7539a26012c1d4796bb0ab0ccddd12ba7225c

SHA256
aabe017d97a57494791665cb25e9b2012e6fedbe7c4fb298c6d42389ef1c0d40

SHA512
dfb9cbe8358093004475c35b3d987f9bce32e87226fff51c4b87bbc9ea3227fd5fc38e2006041c32e3822c859d52b819199f37f33584dab75b17a131eed5676d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8919d91b823cb57a54bba815964a8ce0

SHA1
d6499b11c26ba566b98449682d729bbeef537df2

SHA256
1c5fe6a8b7ad5dc64490f12c8c09e4969a901153849f253dc7801e5f78bb392e

SHA512
8ad0c7ecf5eace7af931c538a3e086ecb442ced5f1f78590c2350ea9dda26db4d0ea6b1e8c89792416c86854cccfbb32d4dc5fe5dae55e861a226af47d7a6525

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
811150c19ecce74941bb37b23ae7f4bb

SHA1
ebed2a3bf51c63516515017783b86d966f6eb97f

SHA256
4a8bc7611a2559adab0fd4d57df1c179cd916ecc5450e79002038ec4b81137dd

SHA512
e1ce114858873c94f8ceaa76ee5a4ac3f2d845a2d11e11a20c7b1d13ba5edfd3657bf4ac7a5799fbc18a614be4e6159640f3fa9f961d09830675d1f72fcd4464

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
e3ab5579f136083ecd68fed8c9b998da

SHA1
1e8408428dc178d2e42ce5a8ff9f501456e9ac0f

SHA256
2fdd2555a51be8367581b7d34b1bdad8f9a6235cb7e6d6105e1118a9101f68d1

SHA512
8b6dc794eb8934a891125342e1b14f960a3fb753df9337707bf2ae0dd3c0926c1ced1d11029d7a3fca7ca22ac005ceb375ae56c8031c3f8cf365ab07d4b41a38

Download Submit
memory/1168-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1168-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1304-457-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1304-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1556-119-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1556-249-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1736-135-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1736-357-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1744-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1744-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1776-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1776-455-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2024-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2024-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2024-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2024-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2628-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2628-456-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2652-80-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2652-8-0x0000000002720000-0x0000000002786000-memory.dmp

Filesize
408KB

Download
memory/2652-0-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2652-1-0x0000000002720000-0x0000000002786000-memory.dmp

Filesize
408KB

Download
memory/2652-483-0x0000000000400000-0x0000000000847000-memory.dmp

Filesize
4.3MB

Download
memory/2932-159-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2932-97-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2932-89-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2932-95-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2952-101-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/2952-106-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/2952-109-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2952-163-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3080-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3080-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3396-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3396-511-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3404-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3404-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3448-164-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3448-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3560-385-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3560-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3712-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3712-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3712-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3712-81-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3848-168-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3848-459-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3888-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3888-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3888-40-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3888-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4088-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4088-108-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4088-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4088-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4324-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4324-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4516-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4516-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4516-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4516-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4516-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4584-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4584-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4844-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4844-458-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4844-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-464-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-386-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-465-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download