blustealer | 9966abd2f2239c4ab9ef470ba0a76c3546645666976c45d7294214d283510140

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2023 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.3MB
MD5

293fdf1a86054e7f7ea5468093a32619
SHA1

556f35a6bc2f99c18eac6efc24772bcaea2c4dc7
SHA256

9966abd2f2239c4ab9ef470ba0a76c3546645666976c45d7294214d283510140
SHA512

dd89c55471e4573b14bc8b15fd5f268bc03f6c47d127bb3a07f70b3ff7ecf6c43f86eae13a2bf70d15baf9df2de198cbb5a18b287dff08027a7dbbb51d6d94df
SSDEEP

24576:dlDz26SjmWjOMnxBZL/gBDTOihq+6yYAJOxyaLYJydD4noK1kY2OdGJ306n2r6L:bDcmWKMx7L/oHOihz6y9JOx2Ig162OL

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4496	alg.exe
980	DiagnosticsHub.StandardCollector.Service.exe
4256	fxssvc.exe
4928	elevation_service.exe
4140	elevation_service.exe
2532	maintenanceservice.exe
1404	msdtc.exe
1976	OSE.EXE
2712	PerceptionSimulationService.exe
5076	perfhost.exe
2340	locator.exe
4904	SensorDataService.exe
1744	snmptrap.exe
4080	spectrum.exe
448	ssh-agent.exe
3424	TieringEngineService.exe
1552	AgentService.exe
4132	vds.exe
3336	vssvc.exe
3300	wbengine.exe
1248	WmiApSrv.exe
2692	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\72ffba950d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 4236	4972	Purchase Order.exe	91
PID 4236 set thread context of 4888	4236	Purchase Order.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Purchase Order.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9a9f86a6970d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000711ffd656970d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d7a4e636970d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478e61636970d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c79d74636970d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8bc19666970d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a82d56c6970d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000facf4b666970d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ae15e666970d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4972	Purchase Order.exe
4972	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe
4236	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	Purchase Order.exe
Token: SeTakeOwnershipPrivilege	4236	Purchase Order.exe
Token: SeAuditPrivilege	4256	fxssvc.exe
Token: SeRestorePrivilege	3424	TieringEngineService.exe
Token: SeManageVolumePrivilege	3424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1552	AgentService.exe
Token: SeBackupPrivilege	3336	vssvc.exe
Token: SeRestorePrivilege	3336	vssvc.exe
Token: SeAuditPrivilege	3336	vssvc.exe
Token: SeBackupPrivilege	3300	wbengine.exe
Token: SeRestorePrivilege	3300	wbengine.exe
Token: SeSecurityPrivilege	3300	wbengine.exe
Token: 33	2692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeDebugPrivilege	4236	Purchase Order.exe
Token: SeDebugPrivilege	4236	Purchase Order.exe
Token: SeDebugPrivilege	4236	Purchase Order.exe
Token: SeDebugPrivilege	4236	Purchase Order.exe
Token: SeDebugPrivilege	4236	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4236	Purchase Order.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4504	4972	Purchase Order.exe	90
PID 4972 wrote to memory of 4504	4972	Purchase Order.exe	90
PID 4972 wrote to memory of 4504	4972	Purchase Order.exe	90
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4972 wrote to memory of 4236	4972	Purchase Order.exe	91
PID 4236 wrote to memory of 4888	4236	Purchase Order.exe	97
PID 4236 wrote to memory of 4888	4236	Purchase Order.exe	97
PID 4236 wrote to memory of 4888	4236	Purchase Order.exe	97
PID 4236 wrote to memory of 4888	4236	Purchase Order.exe	97
PID 4236 wrote to memory of 4888	4236	Purchase Order.exe	97
PID 2692 wrote to memory of 5004	2692	SearchIndexer.exe	119
PID 2692 wrote to memory of 5004	2692	SearchIndexer.exe	119
PID 2692 wrote to memory of 3692	2692	SearchIndexer.exe	120
PID 2692 wrote to memory of 3692	2692	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a301842d3747881be07f9783da3cab4a

SHA1
3c608e983eabbbb40b5556c09e511f044f840548

SHA256
dea6dcb9bc324d3aca747d46665b88b93398760f1f600d17c1835dcbbaacc048

SHA512
5ecbd2bf96d00f220c907cd05c1eaba560138f988b688ccd80e18f0bc79794787d0a140d0dc595fef351a239af8f8416ffd5befed23e4794face1e5f9a287ff4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8fdfc2b95f4500ff9fd88beda24e6552

SHA1
1f70032feb5b6ce5b630ec3a88e0e175e58e94f0

SHA256
8d9f0b33168367749e2d328e525bc73118c95638b5798abec69142f76ef70960

SHA512
00e2bca467f41dc2292827b463be09f3477f272a42baa2560240ca2486bb193f96da1be7ccedcbc26d64e1b8ba88812589abd63d9e5eb6142f08aaa81fd0965f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8fdfc2b95f4500ff9fd88beda24e6552

SHA1
1f70032feb5b6ce5b630ec3a88e0e175e58e94f0

SHA256
8d9f0b33168367749e2d328e525bc73118c95638b5798abec69142f76ef70960

SHA512
00e2bca467f41dc2292827b463be09f3477f272a42baa2560240ca2486bb193f96da1be7ccedcbc26d64e1b8ba88812589abd63d9e5eb6142f08aaa81fd0965f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.4MB

MD5
1c2169cbe4c496f14fbb97e636093360

SHA1
6d0fe1c9c0fe1c6f3d8e62e47a86be2915d73d8a

SHA256
4890dbdaf77c495e04ecb6d69e628712473c495fb8be5a81c3db0bc02efad26f

SHA512
bd773dc73afa424874938916aada33edee277395c2c9cdee7430408bc42d82f78d1dcebdb3285b56f40a5ba136afb8ee4f0f85037d13d6cc052a54111aab28a5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
44a4c73459e0d12833d118a6ae9ff347

SHA1
0ac5a64e8fbf145307fdb75128f73f73a235f038

SHA256
bbea75ba04eaef6c92603ac5e587f7e242e97fd77211f7c900a2682e49466112

SHA512
f99825468a9fc731e451ea1036a13d7864d43bbd3626157c651acf16d7a09bb42c047ecd8805710ecc26211e169bbdab5ccc4ab7c4a72dd19e63a9421018e6ad

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
b4d023b46443ada6aeb434781d3fc575

SHA1
630c71f7f4f250a4ea54bdd843bb583a1bf4df00

SHA256
2e10ec931fbefaacb61abbe9a0aa10c7a9d18cb758dd08bb3f72528cb9534d59

SHA512
703a97ce36d49efb10c4425c5fe00038684a20b7eff91b1a40a6cf5a9a30bc1c8fb4e1eea4448685bdcf1c4a213685270296cf58c2eef3f8bf1214aa0246865f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bfcb018f381e6e3a6d99d062d4a08c39

SHA1
4e2720a6e402f10f29bdb7f4a56b00876ef83560

SHA256
097e474950a0505e951e03996cd6cc219694ba18e36cbf75a6b3356d5354927d

SHA512
ca630f18e50fb261601e2fb7ba3dd522a9c951f2ffe85d510a868eb698ce9f2b27c3a7878bee189ef42ccac4c0991368c2dc3af96d04a982370a97c95d36db6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
51KB

MD5
88d75c6c5646b57ace1a86ab547a3c63

SHA1
d311eab44599191a102feca8d2b5fba83383240c

SHA256
54cf9316f166af704c7754bc8a9075a768751573bf4691d986b76609dc67913d

SHA512
a85657d7f49a665a92047ddd2698ab648acb435be9ab233629cb6460f1437419e903cc56b7823f47bb192e750046fcce879dda2b8031b20f44227b1f35df1ede

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
e893010cbcedad778a9adab87bb62281

SHA1
02ab610d3be46bcb33a8c71ae36f575d9931839d

SHA256
c4149e871045d9750aaeddf02ff47fdd8edb62fa8b303c17dc887990d28fac4c

SHA512
1123b5dfc270ca0db71bd1e489a9643da3940e3586c0d6e264c399bb0bfa069f3ab536810f53759110ba3c3589efd9d6c7abbcdb60fe143a5476264d45ebd04b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
75b2cb220a5326cebd9b56994fdee65a

SHA1
21385868fcf92b07e33a22ff49e95f185096f3f3

SHA256
46bd685b2b7130804be03b928c47452ac570e4872e47515b4e013ace4ecbac6e

SHA512
18776ad4fdea0f2ee08f0383625e535a426cce3ea88ed01f329de3bf71b6a00b66e40f6dcd282825d0ba1399b1b43b7e54f18a38d83855b2acf0c568f751844e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.4MB

MD5
aa92e79778676d101d8e4d7054e878c3

SHA1
afbcc83586a364c7e67447352f52e3de01b5ff65

SHA256
be9963a20ae9e7aac4f75985fb5bc45b828ade8c3efac0120a0f8399f615f7e5

SHA512
35ebbfa0a10206dc1e74ca9526b96ad600a54c9370f515026bda23c125e60619675ccb0f472935e9f87cefe45e1e2aacac1088f8f6e3dbc6674c2b2d0f56eeae

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
56245946d61cdb87bc117c13f657e505

SHA1
689958403099e36da1fae2b514d1833a2fb723dc

SHA256
52e0ce9ff3f92989f77fa7a11acfd3d2aa103d8109b72b79c1eec773b8a9feaf

SHA512
4e6f843c5efeb39548f4f5cb4058f21208a3069cd6675f5116200f612506d2322a32ac5ebe0a1643caa7bb284ad67754fa6b5d73b57981ab4da20e07b4d0accb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bdab19f8844eba967e032d5c81d1d8d9

SHA1
8a77918034416f4ccff87fa19ac7b0aad96106b0

SHA256
bcd65f9a8b2db7575f43db76ec0a35795c952105668b6beb066ebb49916eed0e

SHA512
c3a25f08a06307ecfaca42318c2f007954dc5482856a2f69eda582b915142ba0403c646c79edbadac5f4c342ef4921c7b51eb601d4f36b10b6e64728a0c7e9eb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d46a49e6f1f66e66826634e0fbbcc94a

SHA1
7a3f0a28003a5d065fe4e688fa0e2aa40a68d88d

SHA256
540ebac72c8fecbd0372b5a850ee4097d91cbaef23498e7db5ba69d3c5523e71

SHA512
28202eb995f94df6491ef09887596ff4168ed934a363e9c05b45f84574ee8128bc3e66a135408728eac7f1b387e099aad7a79c7633d53ef16c8aa27460786507

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6ae3a42bda82d7df7bab3f4c98d930ad

SHA1
2a3d0d1038219da98e90f1e71293f54bdc857a32

SHA256
fbfdb817bd9fb9f29984ba559c73d9ab4a67b33dfb653b156037b26fbb05b7c0

SHA512
c7b3e58efb689e0cae15638548fc3ad962161854975927b98d9dd61a9c91abd2dde089fbf3e272f3a2bddf6739dadc1ea361a7d54bb92d18ccf82856dabf74e3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a2fe2f542cb6cdd4b46f2038764971b2

SHA1
da7abbd2b0045008bcbd60bae002f686e9288af7

SHA256
662fbd69c34d6f1c2c3198c6b49349d7bc084179804ca3987ad822d30384496a

SHA512
173ac4ea0ad0f34a99299348a2ef625ce78d1db067655080f7d586447f3bd0c1b7b3f920eb7d9e4ae76d1c22ed637ea6f98dc20a57c3e2c1e556324e7366bda0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
94b13dbdee2f31b90176b326e5bdb5f9

SHA1
edea12d34c4ae05a60c3566f695c6088d491c3f2

SHA256
38c2f023b0f10fde95c8137649b0e3f47e9b118bbba643d3779da30c51fbb9b8

SHA512
de8850a0db01bceaec8d1dd3eadb3f982f072318d8a6c3fa01e62591444b6fbe94865fbeed35aac75f537c26352be2a4ea205b7674d39488e2979ed5040f9130

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
94b13dbdee2f31b90176b326e5bdb5f9

SHA1
edea12d34c4ae05a60c3566f695c6088d491c3f2

SHA256
38c2f023b0f10fde95c8137649b0e3f47e9b118bbba643d3779da30c51fbb9b8

SHA512
de8850a0db01bceaec8d1dd3eadb3f982f072318d8a6c3fa01e62591444b6fbe94865fbeed35aac75f537c26352be2a4ea205b7674d39488e2979ed5040f9130

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
48cef65718602ef950bc7496e42e50c6

SHA1
ed277824a23517d1d474d33108788513ba2df88e

SHA256
2394350407a7c489862ab207e93cc822f85aaf8fb25585a0a03623e45c136848

SHA512
ffb6a65fa1b9c954373a0d58b1140f3f0a465bade8d848e3eec91256e386b9fb540ba46078beaa01ccfe9b65dfac4e49767dd4ab52f8bb5adcd913c168e8012e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fc487677ea5bb898f12943b713fad99c

SHA1
5738b95d9e40d7f775ca7f02eba852cb70f2a0e4

SHA256
2a03ec72d1a3eae11bc346cd2e2173a4086ea8385a9aae324c0968f2fbba2798

SHA512
a332fae814939dee0574af617ced4698e62b83e85827fcc009edd07d4091c352b5ad17719a1644699701f171e777c9486b830ed3b9ad5d5e8682605b904cfc2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eb9177a516bdf5be53e7a8ac92c0dc56

SHA1
67d0e141ae84d413711efc70421ee9d035f0bceb

SHA256
bfeedd9b6868c352ac699e781c53c3f06e221d2b43a4d9988ec12364e7ae2d41

SHA512
9fcf6a4c8cd5a8ed8208eb5bef57bc352d8636ce5f86d77cb9b46f6c0c1bba678a2e755c2f9da1589e2cfabe6c0f07f11dd45465ec98a9d4411dced264186166

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eb9177a516bdf5be53e7a8ac92c0dc56

SHA1
67d0e141ae84d413711efc70421ee9d035f0bceb

SHA256
bfeedd9b6868c352ac699e781c53c3f06e221d2b43a4d9988ec12364e7ae2d41

SHA512
9fcf6a4c8cd5a8ed8208eb5bef57bc352d8636ce5f86d77cb9b46f6c0c1bba678a2e755c2f9da1589e2cfabe6c0f07f11dd45465ec98a9d4411dced264186166

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2127de2e496fce8fe1eeddf25cb46fa3

SHA1
c9da0f8e7685ff40a4073305406dfe38345ad1c4

SHA256
73176fa000664072da80fd3f36479bf25a87cf80ba97e4fb5ff0b450ba4c392a

SHA512
9d6ee33effcc2043635518eb859d5adbd484a1b625c413cbb66f3543e4ec6a4614ff426c420dd6777dd2b1f62baed1f99973039658ea591167dfd4cf38225a42

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4f6c37e186b1e6a0d12f555e59ac0672

SHA1
7059d3d5badeb38346b8946601cada774cd1a2ab

SHA256
bf4025205408a9c5409fff29ed4321a2571caec8e02080960dab1d00ebaec888

SHA512
0693762f2fab186ae42d9c8a1bc82d907a0af878729cdf87f8106ec3a8725b5436686f2c3613d790a11191da334f6cf848ce0af232ac44d1c26758b53e75f2cb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
09a26a607ab22dec73b5b2491a6cf95a

SHA1
af120bb2c818bc46aa8b0d748a403b910d02dcca

SHA256
0bee01e2eb45a9a505f8d5b132569b1b705774b033ae204cd7a79f058fb6ea57

SHA512
88e378efa36cdd0a9d8b59eaede2357ec2ce3ff93afcda9a2a34345922302b10b43df356650d18185ab456174dbaa2ec5390f52e9cbb5d887042b69a21cdf512

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1bfbaf7129bed41b25d0896b661393ac

SHA1
50a16d2a057e16e820390cf1e9e46be47b1c6776

SHA256
c74b9c4be8cbd2bc044b42c70147b3b7d52180c5b71eaad5057221bd396b5fe4

SHA512
f9bb4372dc699d05de6519a30fa4f98d5cd0a17311519ce8165ad94e24e9a28a36f92211a5ba5d55187c4da8561f9a45a48df4dbf364ac218dcfa1ba16a154c5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b14f7b42097b7eac827bec4fdb8cefb1

SHA1
3b6bf54a59408c07e3285beef1e8ea6a1c404bf7

SHA256
3322da6cf30b4dd8b867d68326d3eaf6a11235d5f1f4ac9d3758ea5ef8c1ba58

SHA512
c42e5dadf1c4f78d29624b73ff8157bf291504ab580eb6160eaf2526c6c6264598d7f5d1e3933e1a173c652dc3c7ee6286d09505ebbfe0d2a55b67aeef41eb65

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c6a4428d5beb4e39d15adb0f6c00c0d8

SHA1
64cbadcbebd3bd0e83fde069d5c1dc5689625143

SHA256
a7ebfba06f5272072666744dfa52dde7def8cf404a52cbed5f27d6df40b49c03

SHA512
44cb0afb0de5ba3948ca43146080beac9785343379060800d66415767767f30f21eb1c3d5df2d99becc37a71282daf62ceca7318d37fa5afc65dbf6966d6ccb2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b4d6157842ce62a4473c0527ef2916ed

SHA1
0f0c62c3f23fe90de5f47eaef05e259773f8a0f2

SHA256
8e2b1db1f33d74c0af3487ed4eaac7708b899b7e53924ee291ac985e898e020b

SHA512
f4a42bb76662fcf88afa748391e75149e5635d2fd02e5d631aec50583ca60e145cba2bf95cc2be134fa7adc7849dfdfffb4e0b09d5c6dcfb336016b2f5016a35

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7341027110e82d76821b33227782954f

SHA1
340cc2045fdb3d6e1d3770c3bd20c1ee2820c87b

SHA256
25ac81d760e81a081c040abed58e13dcc743cc09f8526241051d49dfb8d71272

SHA512
68cb5ded559e2d1ef39ee59792c55d90ec6ef53e98daa9561af56d185ebe411e8d2417e05aff68e4cc45a6c12462a921bc2171638f1abd30c81de9aa3c320ccb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c525dc77060b7669acf6c6de88fba4aa

SHA1
a50843e758d613b11b945e5bee815cc9b4f542ae

SHA256
7ceec661dd46830256b210e401e5d132bf64cd01e530cd736c0849872f099ae4

SHA512
a09328ecdf24377addc6378d96daf47cc5b46b133825ddab5025345eae63d2e068293fc61fc3ef91be3b0b3f2930f617de98d2d62bd0b7827ed0a7abedf4f5f2

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
bdab19f8844eba967e032d5c81d1d8d9

SHA1
8a77918034416f4ccff87fa19ac7b0aad96106b0

SHA256
bcd65f9a8b2db7575f43db76ec0a35795c952105668b6beb066ebb49916eed0e

SHA512
c3a25f08a06307ecfaca42318c2f007954dc5482856a2f69eda582b915142ba0403c646c79edbadac5f4c342ef4921c7b51eb601d4f36b10b6e64728a0c7e9eb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5a1a5b40fb6e88ae6c5b8dd427e4e45c

SHA1
8181018ed5c0310f79f15713d41218d0ef44122b

SHA256
c5c6bc5e6e5b0dbf5a5d303d4c095929045946242a707a70eed5d03add64c7dc

SHA512
7940945a2a67d3cb901a74971cfe6f158466daa73d5cc495bc5ea6b8fcd0cfbd6dd64991ceeb84275d0c7aa144245f07d71b954398cc2abc83d6fe667a4d9155

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
9e5354cc18f243dfefb7edf4922111c1

SHA1
b57dafa761055d259b64b8957b6468ba1a49a1cc

SHA256
0e71d85b3f5a5be4355ca01ba70fdfe154221395a36d170db123835b8bd9adfa

SHA512
2b5adf78c2d1047a978bffdc92a89a3a6c9b42f3a3ca3e0730e703cd69dd5cd251f72634dc82c189e3f69af9d2f5bb96a86bdfd2c59d194eee894db264847b93

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6ae3a42bda82d7df7bab3f4c98d930ad

SHA1
2a3d0d1038219da98e90f1e71293f54bdc857a32

SHA256
fbfdb817bd9fb9f29984ba559c73d9ab4a67b33dfb653b156037b26fbb05b7c0

SHA512
c7b3e58efb689e0cae15638548fc3ad962161854975927b98d9dd61a9c91abd2dde089fbf3e272f3a2bddf6739dadc1ea361a7d54bb92d18ccf82856dabf74e3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
0a42f6272b83abf041929a536a13114c

SHA1
fe18c52d695cc95e576a587246e984b37396ed33

SHA256
4d0f864524bef4adf3e7f1716d866c4f29f3c0020e27eb38facf640951231b27

SHA512
ccba052d1ae48b3b9dc7584d5dd7c0dd08423d2895732e3800c3a67401a984bb5453bf0ea1bd3da565dc9c057f5572496234145e5b072787f0b381d8537c6f91

Download Submit
C:\odt\office2016setup.exe

Filesize
1.5MB

MD5
120217d2e5b6c3cc444b79441093a870

SHA1
7ef661f1d620a893bcb67a9e2e0a699df46b38a6

SHA256
b1b211836b87bc98e66dff1efc97a19c9bc27d1916f2d3892560301f73e4e298

SHA512
a290d74323d0cd8669d6e5f840d8c93105fa69b8968e8d09b375db0593d33453d94707ae83e4504e15278fb1d718badfa1e64ec13b36478ece36353a635fe826

Download Submit
memory/448-331-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/448-617-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/980-171-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/980-177-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/980-182-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1248-399-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1248-645-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1404-236-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1404-553-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1404-235-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1552-362-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1552-353-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1744-326-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1976-271-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2340-302-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2532-221-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2532-227-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2532-230-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2532-233-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2692-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2692-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-273-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3300-397-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3336-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-377-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3424-351-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3692-608-0x0000018833B60000-0x0000018833B61000-memory.dmp

Filesize
4KB

Download
memory/3692-672-0x0000018833B80000-0x0000018833B90000-memory.dmp

Filesize
64KB

Download
memory/3692-751-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-750-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-705-0x0000018833B80000-0x0000018833BA0000-memory.dmp

Filesize
128KB

Download
memory/3692-646-0x0000018833B80000-0x0000018833BA0000-memory.dmp

Filesize
128KB

Download
memory/3692-738-0x0000018833B80000-0x0000018833BA0000-memory.dmp

Filesize
128KB

Download
memory/3692-739-0x0000018834130000-0x0000018834140000-memory.dmp

Filesize
64KB

Download
memory/3692-740-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-609-0x0000018833B80000-0x0000018833B90000-memory.dmp

Filesize
64KB

Download
memory/3692-753-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-752-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-607-0x0000018833B50000-0x0000018833B60000-memory.dmp

Filesize
64KB

Download
memory/3692-741-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/3692-747-0x0000018833B80000-0x0000018833BA0000-memory.dmp

Filesize
128KB

Download
memory/3692-671-0x0000018833B60000-0x0000018833B61000-memory.dmp

Filesize
4KB

Download
memory/3692-748-0x0000018834130000-0x0000018834140000-memory.dmp

Filesize
64KB

Download
memory/3692-749-0x0000018834130000-0x0000018834150000-memory.dmp

Filesize
128KB

Download
memory/4080-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-614-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4132-375-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4140-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4140-527-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4236-163-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4236-454-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4236-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4236-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4236-150-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/4236-145-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/4256-198-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4256-189-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4256-181-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4256-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4256-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4496-164-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4496-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4496-456-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4496-157-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4888-213-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4888-200-0x0000000000B80000-0x0000000000BE6000-memory.dmp

Filesize
408KB

Download
memory/4904-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-202-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4928-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4928-193-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4928-529-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4972-140-0x00000000074E0000-0x000000000757C000-memory.dmp

Filesize
624KB

Download
memory/4972-133-0x00000000006C0000-0x000000000081A000-memory.dmp

Filesize
1.4MB

Download
memory/4972-139-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4972-138-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4972-137-0x0000000005C70000-0x0000000005E16000-memory.dmp

Filesize
1.6MB

Download
memory/4972-136-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4972-135-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4972-134-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/5076-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5076-579-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download