modiloader | 609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-REQUIRMENT-REF-000042531.cmd.exe
Size

1.3MB
MD5

f8917dd23a244af6a89a7c388bfb2d5c
SHA1

6fb52c21afe5fe112e586ea69568c7e70158afa1
SHA256

609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
SHA512

b3f7bac38474fce1ef40928b5be6884605fef86146332a474a00c8e23593cd4e3f03419b58aa84feb51a53ff7205e537bdaee51122f4887e89ceb3f228fa0b34
SSDEEP

24576:JUWe1lsIh7u57Mhl0Siz+h4dYEXvVzlFjG31di:JClztlpiz+adRvVR2D

Score

10^/10

modiloader collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
lwaziacademy.com
Port:
587
Username:
[email protected]
Password:
jB_PZJCJu8Xz

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 62 IoCs

resource	yara_rule
behavioral2/memory/3892-2-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-7-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-12-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-19-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-39-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-66-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-65-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-64-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-62-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-61-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-60-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-59-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-58-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-57-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-56-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-55-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-54-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-53-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-52-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-51-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-50-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-47-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-43-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-41-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-38-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-36-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-35-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-34-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-63-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-30-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-27-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-26-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-49-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-24-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-48-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-23-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-22-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-44-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-21-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-42-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-20-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-40-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-37-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-33-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-32-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-31-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-16-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-29-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-28-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-25-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-15-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-14-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-13-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-18-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-17-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-8-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-11-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-10-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-6-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-9-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/3892-5-0x0000000002850000-0x0000000003850000-memory.dmp	modiloader_stage2
behavioral2/memory/5912-1111-0x0000000140000000-0x000000014022B000-memory.dmp	modiloader_stage2

Executes dropped EXE 30 IoCs

pid	Process
1856	svchost.pif
1504	alpha.pif
4176	Upha.pif
3284	alpha.pif
4752	Upha.pif
3712	alpha.pif
2280	aken.pif
3604	hvphrsqL.pif
2920	alg.exe
544	DiagnosticsHub.StandardCollector.Service.exe
5644	fxssvc.exe
5772	elevation_service.exe
5912	elevation_service.exe
6000	maintenanceservice.exe
6100	msdtc.exe
2292	OSE.EXE
2592	PerceptionSimulationService.exe
4256	perfhost.exe
1880	locator.exe
4012	SensorDataService.exe
2068	snmptrap.exe
2040	spectrum.exe
2680	ssh-agent.exe
8	TieringEngineService.exe
4728	AgentService.exe
4320	vds.exe
928	vssvc.exe
5176	wbengine.exe
5292	WmiApSrv.exe
5452	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lqsrhpvh = "C:\\Users\\Public\\Lqsrhpvh.url"	ORDER-REQUIRMENT-REF-000042531.cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
19	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	checkip.dyndns.org
49	reallyfreegeoip.org
50	reallyfreegeoip.org

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d5820bb4e5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\msiexec.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\snmptrap.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\vds.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	hvphrsqL.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\locator.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\vssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\alg.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\msdtc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AgentService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\wbengine.exe	hvphrsqL.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3892 set thread context of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaws.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\7-Zip\7zG.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	hvphrsqL.pif

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	hvphrsqL.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER-REQUIRMENT-REF-000042531.cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvphrsqL.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073483dcd956ddb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002559c9cb956ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000811eafcb956ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039ccfdcb956ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000742e00cc956ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cad127cd956ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002230e1cb956ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000841cedcb956ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
2280	aken.pif
1856	svchost.pif
2280	aken.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif
1856	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	aken.pif
Token: SeTakeOwnershipPrivilege	3604	hvphrsqL.pif
Token: SeDebugPrivilege	3604	hvphrsqL.pif
Token: SeAuditPrivilege	5644	fxssvc.exe
Token: SeRestorePrivilege	8	TieringEngineService.exe
Token: SeManageVolumePrivilege	8	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4728	AgentService.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeBackupPrivilege	5176	wbengine.exe
Token: SeRestorePrivilege	5176	wbengine.exe
Token: SeSecurityPrivilege	5176	wbengine.exe
Token: 33	5452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5452	SearchIndexer.exe
Token: SeDebugPrivilege	3604	hvphrsqL.pif
Token: SeDebugPrivilege	3604	hvphrsqL.pif
Token: SeDebugPrivilege	3604	hvphrsqL.pif
Token: SeDebugPrivilege	3604	hvphrsqL.pif
Token: SeDebugPrivilege	3604	hvphrsqL.pif

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 1220	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	86
PID 3892 wrote to memory of 1220	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	86
PID 3892 wrote to memory of 1220	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	86
PID 3892 wrote to memory of 1012	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	89
PID 3892 wrote to memory of 1012	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	89
PID 3892 wrote to memory of 1012	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	89
PID 1012 wrote to memory of 1856	1012	cmd.exe	94
PID 1012 wrote to memory of 1856	1012	cmd.exe	94
PID 1856 wrote to memory of 4232	1856	svchost.pif	95
PID 1856 wrote to memory of 4232	1856	svchost.pif	95
PID 4232 wrote to memory of 5000	4232	cmd.exe	97
PID 4232 wrote to memory of 5000	4232	cmd.exe	97
PID 4232 wrote to memory of 2828	4232	cmd.exe	98
PID 4232 wrote to memory of 2828	4232	cmd.exe	98
PID 4232 wrote to memory of 2412	4232	cmd.exe	99
PID 4232 wrote to memory of 2412	4232	cmd.exe	99
PID 4232 wrote to memory of 1504	4232	cmd.exe	100
PID 4232 wrote to memory of 1504	4232	cmd.exe	100
PID 1504 wrote to memory of 4176	1504	alpha.pif	101
PID 1504 wrote to memory of 4176	1504	alpha.pif	101
PID 4232 wrote to memory of 3284	4232	cmd.exe	102
PID 4232 wrote to memory of 3284	4232	cmd.exe	102
PID 3284 wrote to memory of 4752	3284	alpha.pif	103
PID 3284 wrote to memory of 4752	3284	alpha.pif	103
PID 4232 wrote to memory of 3712	4232	cmd.exe	104
PID 4232 wrote to memory of 3712	4232	cmd.exe	104
PID 3712 wrote to memory of 2280	3712	alpha.pif	105
PID 3712 wrote to memory of 2280	3712	alpha.pif	105
PID 3892 wrote to memory of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107
PID 3892 wrote to memory of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107
PID 3892 wrote to memory of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107
PID 3892 wrote to memory of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107
PID 3892 wrote to memory of 3604	3892	ORDER-REQUIRMENT-REF-000042531.cmd.exe	107
PID 5452 wrote to memory of 5932	5452	SearchIndexer.exe	134
PID 5452 wrote to memory of 5932	5452	SearchIndexer.exe	134
PID 5452 wrote to memory of 6064	5452	SearchIndexer.exe	135
PID 5452 wrote to memory of 6064	5452	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

C:\Users\Admin\AppData\Local\Temp\ORDER-REQUIRMENT-REF-000042531.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER-REQUIRMENT-REF-000042531.cmd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\LqsrhpvhF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        5⤵
        
        PID:5000
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        5⤵
        
        PID:2828
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        5⤵
        
        PID:2412
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        6⤵
        Executes dropped EXE
        
        PID:4176
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        6⤵
        Executes dropped EXE
        
        PID:4752
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
- C:\Users\Public\Libraries\hvphrsqL.pif
  C:\Users\Public\Libraries\hvphrsqL.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:6100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5292

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f72fa31f2a41fc527db72880a42170b3

SHA1
1eab57341b838e214663dc13a451bbf959576c13

SHA256
718ce09a00e8749b61052278b498463ca40b10b0ac951eb606c6569e2f4eaeac

SHA512
00550e7b8f4d2a0a5e7626eaf3e5f73afea3db9f6814799023537d7bf5d2d22c8cc15f939caf4c3e021b5c329376f16af7a895dca54c0559d54a65fa93ee8d8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
ba342afc19451822a8ba13464af3f64a

SHA1
36a3033dd4cf5d37c7cd4e05e358f835a67042f1

SHA256
1dda47796d0b1f4bb34f815c353dd2a058960b04e5aadfb956811f56c9b0f559

SHA512
3ba87e3100dd55661c9e4179b710cab6a0fc2cf3443dc727f9a30c0fdd889d2c86b108165044e7bfc272abea2eb31817654a3ca072f34a4372b6eb5383f1998e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
66e517126d710835eb45f302a6819bf7

SHA1
66a4edabcf74e965359b354258eb6760c76db0d7

SHA256
9c9fb4f41a4bc7e59d03e2ed48f514ff087149f078f8e2e988623dd762c595e1

SHA512
1b41137a1ddb3d79e7d1576e1647e5fe52605eea7d1d3994463bca67012aee6e3aec71fa775be65f7f7abc943e20b02ecf75d651f1fe7b3dbb5ef656f4830bfe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
daeebe854ea88e13afd74770839eda83

SHA1
fa4a63004e268e3cce5ebb0c724c5c6208e50a47

SHA256
51c675372afb04601f2ccca6749938bbba5adb19d041edcc5dcb54fbc0d31453

SHA512
ad644c1fcc27b73faba3e0acef18095957f538277a5c295d2abb91a7f427301c2d4b0b4c3aae418ae1ea23bfcb34fb453a3181b903461dcc71aef80298e16aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsh34wf3.le1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh

Filesize
1.6MB

MD5
8b3e0ead3b90f0f27f518ba1fe5bd5f8

SHA1
303f1dcc4afc7d701fab13c2215e044f36611608

SHA256
19ebbf53a6572d81a5ac2633702f702cc1ca12ed86ca56345875a3700988dda0

SHA512
b2e89c1c95623d597d6bf2de930c90288f23d858a503045d3923700fa19e39c0f3fbee252d2aec3faad586bebc0789413868ed07bbb2e0f7a8fed0cb4b99352b

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.PIF

Filesize
1.3MB

MD5
f8917dd23a244af6a89a7c388bfb2d5c

SHA1
6fb52c21afe5fe112e586ea69568c7e70158afa1

SHA256
609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0

SHA512
b3f7bac38474fce1ef40928b5be6884605fef86146332a474a00c8e23593cd4e3f03419b58aa84feb51a53ff7205e537bdaee51122f4887e89ceb3f228fa0b34

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\hvphrsqL.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Lqsrhpvh.url

Filesize
104B

MD5
256c94034e93e2005b22830b8a49cc91

SHA1
b6687017a6fa79c1181c875909f0637413a9fda1

SHA256
cda2582b09c402fd8543a5a2d94d4c8e50e54dc6d2583ad72837a5d14e54391a

SHA512
a25926cb279a4b758474e1a25ed0055b3f88513e4e9b65013bc6748689d3555e6e5a42a3e085d5f669b1780414020c87d64790bb497ae410eab00ffe07d5fa4c

Download Submit
C:\Users\Public\LqsrhpvhF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
de7f6f758ed638a2d0b5d93457bdc8ff

SHA1
7925e9bec985a0e58c71e490f77d493e6abe2c16

SHA256
fb66bd391efc21d20a92891a0db39abd2a49c0f89dbd9c2f12efd57bdc91b8cb

SHA512
61522b8d1de4cd9ee0c4354ba7c4325529b88e38c5599f6679f1fdde480a879ac4028abd188466fe062b0f15cc0612dcc9932af24248165b785666963c66d6d0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
98aceac246a51ad0f14b26831b9126ea

SHA1
5714befda09db9c356ecebe45e600c802acdbbb6

SHA256
7d155639ae5fd19179a753ab43676bd81378240154d7c6541077cff2f012e50c

SHA512
2a142127df21b5761991e998b9a4ce4b97ba3148ed285eceff16dc5b6cd269a40905c2a3e042ca57222b94bc746154f7623c702060cbc2103e2e337f4687a5a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d5ff503923df8d6b70a16b2475d31426

SHA1
d6dff18580e2ef0176aba40aca3a10256d86184f

SHA256
e402ce949e5afd06777413017d8c4ab10a102e6afd879118a90b46bf3a288ad6

SHA512
2808c3d36329274bb9b49cbaa547ed12d2156dd547edf3e88f857377a15524beeffc4280367d8e2af7f57df2ba0270ee5df3c4ef5b6ff6f8400e4386cf3e35fa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5c83147db757b45e4f6b6f7748f6d8a1

SHA1
67f604bcb45b0cf035f47541158edd1554d60db7

SHA256
b547668e87e38841b15e078e0f6c8341ac306f030fffde41afc10fe964ff60c9

SHA512
d41847e3c8ddfa83ac83370026020067740ef4d8ea132fac6484e636298b629291ff0ff182a0c928d3b6031503731fa1c4f540a5747d938c1daec238db026fcd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
5aeea53d5070b8b9c2503ef7e3f210b7

SHA1
cfbc8d91d9b78bcc4dafb507514df24fe3fbbd73

SHA256
26b3e9f319627af4e7a0a8980d035a6aae0edd9bfc5d75d13d762fe021bdecb9

SHA512
32fb84bc845dc7eeaf3e673d075a174a9dae543207ea2bdaac93f4999dab5bb1fbba1aaaf0e5eae7dede94217395aaf0873c3b9e2d984a487a8f0eea91dc475d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
cdf26df21a1ca9047b8afed8af9991ec

SHA1
7d7597026a7556e8f148006fcf5653b6d936e1e7

SHA256
da51d11fd55c7f86237ce940d707656b484db25cbc7fa7311375cc0e07abe339

SHA512
f300e93eeb05dec1f3b41fb3ddd8eaa4c1156afda4569da6f326d2cdcfb6d6e9eae56d08dbecfb889ce7beb4b6df08ecb4e02117b7e086eb1242f92516eb88e2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
63b177770a297dda67ddff19d5c6b3cb

SHA1
411a2aff4d22d7279c753592eef263cb316764d1

SHA256
4dde8a0de0d7165d98ff5071228c937f64d0709ea2f2b2d371d36f7a815dc14c

SHA512
8e6c5fe8baac7b539ef2a63b1aac92169ccc1bc97e26837232d78fbeec1a3c92143efb28c66095b72d63299e05163f821a0f4128a48ca790cb913bac91881754

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f9a5db6d6aade1bd7720d8ba3144cc43

SHA1
30342fe5a0be9decdcf2a528597482d422562b9c

SHA256
ce020edaae0c34100ca72bab14210c09d139d7ddef029cec34f189e4153564b0

SHA512
e99783ba31142163afbd0820b0e60e672f41fcb824994c1bdc009e34cc048a12a164af60cf3c3d554995a7d201513be3749741753f07998084d3f8d741954fb6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10a35f1ced00d6bbf01939e69308e0e6

SHA1
f7798cd7d1b4bfc4fbd31dbbd0e53992d43cfce2

SHA256
068cdee3516ccec8ed6050fa420aa0946fb513979b00f8df3c3fc81ab753ddec

SHA512
c0b6f19f9e4304f11610715fed7a9fd952852573bd6fdd8a6bbf9ba6a1ce83e62c80769a9604905dfedd98343a2976e653553f44ff762e2bea22628ff6bf5a37

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0d175f3d5b5d2cf0098c289023b90ff7

SHA1
019b00bfb1c5da175b504e4ad510bce57e5c126e

SHA256
2b9d666d801434a4276ac162252d2e6cacaefdbd788c45cf74c5144900f89f9a

SHA512
53cd5ee307c08f6ed473942652357534081442402cc8155d1fa40adb5ce2f0cfdbf22e540a223149058f688aa487182c8c43fe788778d561536c07d8ef0e6348

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
58f2f3ea4ed94251f30e6ad6dd3e6c77

SHA1
c05731303d6ceae5fc9b1a3611752e49a833cb2c

SHA256
f46b8287835b60acdd95a6381081177a44a7ca5ca46456935f3ad0ea4b952056

SHA512
6a3398003422579d48217857bb876545a56594706dc970f80e395cc90909b01d1225c72ee58071309cea92bd531732f2a4a7527998403a2b8c14b32e9286813a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
08fc76c0dafa1eaf2b632415b3738ac1

SHA1
8786d2032a145a257cb6ca5c6c039f9414b9f497

SHA256
5bccb5608f633e518b851833a52d87ead55c8b2c39420281d1ecb93519b41039

SHA512
cf3323b8101219b8e1be93ebb8fbb341ad9c9fa7c3311a8c9dfcf034084ff1cfc1ffcab2ff2686a298009ed2967851bc6917eae749d13c553f1c703a6592b78e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5f4c2a6c3ad6a22d648198e7d227f68e

SHA1
8974a6e04a69098292a0aac9ccc0f326c4347520

SHA256
78516f8ceabe79b3358936c22e49a9c7ecb1cafd524c5df65c1c52ad432cae68

SHA512
bac6bc749a8424f7244aa31e5179f3b9367f676f7715dce9bba45fd12eee7ef94e0778f8132510390a3d1d6729abb2da1ec509215ff85c2b2daf61ad6a7a6408

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
6b3cecc3db80f960e97a37298906dceb

SHA1
087441d2b7940e152e1c3734109cbaa0d9b5afe2

SHA256
7fea5c33be9b492e86de2321b1ff4412f742c74a4895bebe93d21c12765eccad

SHA512
5fd2dde61f047559422f0cb817d566f06e5acfc805e86f2e7b7fe23e257e166425940f67f1f66d029a51c24ab1a0475733090cda649f70b4505165b7cc8db148

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
bae05c38a9f833a5cbba3daf21349e1e

SHA1
8b8c122c8407e5a4a0928bf0f493694121e5fb95

SHA256
eec188e9312f769415d5c0361437223a390849f7aa38ff08490715b67a5718c6

SHA512
296cd09082f5e4ca993ed8c3cd9462d21e904ed16dd250f448ef25b7f84f5172ee8e56233878c2e149925911538c6aeebda2ab029003095d2ed32e6639e5eff7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aa782301349d7bdf717ec7ff0bd8a8f6

SHA1
924dfc72218a067926dabefd22b0a075bb59e53a

SHA256
2806a6816a2795833cd2be9a800823ad8e059e2fadd22f97f1a8ca9f239cf9db

SHA512
a5041e2b1df76a6e109cb8444286cfbac6c78feff54cdc2e50d9ef9fd4e336380d0030d6115357879bdfd23723db3af6778006ab6cf7d738e4e03a912974b311

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ae3f699d6ea0db192af50ca537107c4b

SHA1
c35930fa8c51c6e90682daba754f7e5741efbe0e

SHA256
925cca2f476ea7a406d1747ccc5cda80edc8e285ee5e38c4ac45cd607acbddce

SHA512
48a614e6f6f1eb7e52172a85084ee6ca2686ae76ded83630077d80e68a3444817f73a09678938031f5853074ad6345ad45b7fd6577463ecbe0fe643ec383fdb9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
27adef3200e027d9d6b6326af8befc9f

SHA1
2dc1e512dbfb41a1e94f8672e50f3a98cd1af0a3

SHA256
47a9f66e288662320e4175d89669f2a81f80358b00f3c4da43ebc8c205d77ff0

SHA512
be0de5049f391ae26d67a46b99ae5d4b28912563adcad15aa7fadbd14ae1d0f00fa0d3fc0ffd8eea5d9836ce1c04aa6d63424bf14b4376da43c9bda22a858a33

Download Submit
memory/8-1390-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/8-1132-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/544-496-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/544-1084-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/928-1163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/928-1442-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1880-1186-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1880-1064-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2040-1100-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2040-1317-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2068-1279-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2068-1088-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2280-236-0x000001B9618A0000-0x000001B9618C2000-memory.dmp

Filesize
136KB

Download
memory/2292-1149-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2292-1020-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2592-1162-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2592-1035-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2680-1113-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2680-1355-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2920-480-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2920-1059-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3604-468-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3604-1388-0x00000000359E0000-0x00000000359EA000-memory.dmp

Filesize
40KB

Download
memory/3604-1387-0x00000000354B0000-0x0000000035542000-memory.dmp

Filesize
584KB

Download
memory/3604-1275-0x0000000035660000-0x0000000035822000-memory.dmp

Filesize
1.8MB

Download
memory/3604-1034-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3604-968-0x0000000035410000-0x0000000035460000-memory.dmp

Filesize
320KB

Download
memory/3604-946-0x0000000034420000-0x00000000344BC000-memory.dmp

Filesize
624KB

Download
memory/3604-487-0x00000000343F0000-0x0000000034422000-memory.dmp

Filesize
200KB

Download
memory/3604-485-0x0000000033E40000-0x00000000343E4000-memory.dmp

Filesize
5.6MB

Download
memory/3604-483-0x0000000033DB0000-0x0000000033DE4000-memory.dmp

Filesize
208KB

Download
memory/3892-30-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-13-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-29-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-16-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-31-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-32-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-33-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-37-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-40-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-25-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-20-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-0-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3892-15-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-14-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-5-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-42-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-21-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-9-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-45-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/3892-2-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-46-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3892-1-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-6-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-44-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-7-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-8-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-36-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-12-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-65-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-23-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-19-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-48-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-24-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-49-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-26-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-10-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-27-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-62-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-64-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-63-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-11-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-34-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-61-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-35-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-22-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-39-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-18-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-43-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-17-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-47-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-41-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-50-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-51-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-52-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-38-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-66-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-53-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-60-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-28-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-54-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-55-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-56-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-57-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-58-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/3892-59-0x0000000002850000-0x0000000003850000-memory.dmp

Filesize
16.0MB

Download
memory/4012-1075-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4012-1199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4012-1445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-1174-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4256-1038-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4320-1150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4320-1439-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4728-1151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4728-1142-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5176-1175-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5176-1449-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5292-1187-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5292-1450-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5452-1200-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5452-1451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5644-948-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5644-983-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5772-1099-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5772-959-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5912-1111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5912-979-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/6000-993-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/6000-998-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/6100-1000-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/6100-1135-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download