blustealer | 3bdc32444246ba2ef77108af1e1f03d7c25f263639addab0db84f65f30be83cf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Size

1.4MB
MD5

eaad3c08a1f393d748dd5e1a615b2b3d
SHA1

84a3f6c915201d6a662ad227114754aea6c2ee2c
SHA256

e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
SHA512

2090e33e11e3a0ec15052b4c1f32574da80786655f22c766046c536dd47f9b2608279a9562d5cf5107a1a28b0ce78dc0a13c934643919f067c8f6a89b3db489a
SSDEEP

24576:vzOB9fWDrP3eS3OzAMgzZba9W4tL40ze2mLpNPT8EWAinrixydMvD:vzOB9fW33ekxXzZba9W4tzeJeEWPiqM

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4876	alg.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
3828	fxssvc.exe
1648	elevation_service.exe
4624	elevation_service.exe
2080	maintenanceservice.exe
1584	msdtc.exe
956	OSE.EXE
1796	PerceptionSimulationService.exe
4368	perfhost.exe
2492	locator.exe
2180	SensorDataService.exe
3968	snmptrap.exe
5080	spectrum.exe
4760	ssh-agent.exe
3344	TieringEngineService.exe
3896	AgentService.exe
2600	vds.exe
3652	vssvc.exe
4380	wbengine.exe
1204	WmiApSrv.exe
1452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e274fe5350d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\System32\vds.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 376 set thread context of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0BAA8BD4-90AF-4FCB-B1A3-821C23211F59}\chrome_installer.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000586b07b96c71d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c248e1b86c71d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3d741bd6c71d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098d8e7be6c71d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5e865ba6c71d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff73adba6c71d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089c32ebd6c71d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeTakeOwnershipPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeAuditPrivilege	3828	fxssvc.exe
Token: SeRestorePrivilege	3344	TieringEngineService.exe
Token: SeManageVolumePrivilege	3344	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3896	AgentService.exe
Token: SeBackupPrivilege	3652	vssvc.exe
Token: SeRestorePrivilege	3652	vssvc.exe
Token: SeAuditPrivilege	3652	vssvc.exe
Token: SeBackupPrivilege	4380	wbengine.exe
Token: SeRestorePrivilege	4380	wbengine.exe
Token: SeSecurityPrivilege	4380	wbengine.exe
Token: 33	1452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeDebugPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeDebugPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeDebugPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeDebugPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
Token: SeDebugPrivilege	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2052	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	92
PID 4896 wrote to memory of 2052	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	92
PID 4896 wrote to memory of 2052	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	92
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 4896 wrote to memory of 376	4896	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	93
PID 376 wrote to memory of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99
PID 376 wrote to memory of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99
PID 376 wrote to memory of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99
PID 376 wrote to memory of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99
PID 376 wrote to memory of 1600	376	e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe	99
PID 1452 wrote to memory of 4628	1452	SearchIndexer.exe	121
PID 1452 wrote to memory of 4628	1452	SearchIndexer.exe	121
PID 1452 wrote to memory of 2204	1452	SearchIndexer.exe	122
PID 1452 wrote to memory of 2204	1452	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
"C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
  "C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe"
  2⤵
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe
  "C:\Users\Admin\AppData\Local\Temp\e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4628
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d503b7fe8c33e875214e10e2fbcfdad2

SHA1
8eac6a5aa226ca927127143080b1483742c5af1d

SHA256
c33a4d06cdf8c0964a572e31b94c2213c1c022b9164b687fbbb3d9d9387e7114

SHA512
d555f6cdfa781cdb1b98272427cd34fdb04560f892b53bcd2f6304d1633cd42a0736997c5b7397a1837b3f8915f34672f74ad9a41beb6e42fc6c69ade142bf82

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
986817ee02a0417b1efca240dde8d2c3

SHA1
f8ea1dc341f9f74a177c4c67604c3f40e48d2459

SHA256
aee6528a0e3249f8436fea24490470718f4b1e73a0316d6b1208ce5164e80a45

SHA512
958673b434820217e166ff2acd2f7216d18aa5c67ffd3c5f76bc87aa4f3d08a296861cb03130810de32b0841665b14e28e4e266bd434ac1dfaeda41216954148

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
986817ee02a0417b1efca240dde8d2c3

SHA1
f8ea1dc341f9f74a177c4c67604c3f40e48d2459

SHA256
aee6528a0e3249f8436fea24490470718f4b1e73a0316d6b1208ce5164e80a45

SHA512
958673b434820217e166ff2acd2f7216d18aa5c67ffd3c5f76bc87aa4f3d08a296861cb03130810de32b0841665b14e28e4e266bd434ac1dfaeda41216954148

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b59908a3450215cccd3ba0d9ed646955

SHA1
510194d28b26f216543b9e43644b251ed1de707e

SHA256
5477fef2a855c9dc030564268b9b1db922bb8b03aa7415eee9a6f24469b72fa8

SHA512
94679a54f71191a32b981f8a3690ad1c8e71163782971896f608b7937355927d9fc96ad927a7b9efcea480e6cf6798071adf4a226ad969b3e969123e4a058b0f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ece88e621fa3c3b2e8064107f689ebbe

SHA1
624eeff89820504548e77403ff5ac8b455f42590

SHA256
aa0f9c2890257ef7429836f550b1a0b4266e54431453a41cfda246dd0f879166

SHA512
8ab09ecf3017e334204f0f43ddd5c5012269c94b4a26668c48655dfd97b3075e99169dcd6f11650cfaf488563764869e146be847f47183c03f041adbc572e7c9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
064ac31df82a60906d7e27cd3994a3ec

SHA1
0ebe3cdd47fee927aa2242a5989bc6e399b25412

SHA256
768392d6b6e4b76c6b442138f9e3cd8fc00df2282ae60f46cc740bc9acf9b6dd

SHA512
64f2e5855907de870e5e762e6ccf5252cbdc0e21d251dbc9dfa22b3293162d6cc0b8f7cc04f6c974c44e0cf2542ac1073ea2eb3a3763b3bb0a455839bd7204bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7cae008c24e112d7606402c0f96c1df0

SHA1
1cbe8aff834c48dd97986be0c6d8fcf75e8df597

SHA256
1e27985c09947e34afdb1e9167ed37102a880e72170688d4c4c2a90bc4858f26

SHA512
b25fe1b00ed8368aee133be84cba239ec571e3a9db9c4b109d0f93dece81e8608742db151087e0ce1a4009fc046567ded5b55a2c2d6f31431d15d6b5fce0367a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
2fbfaf6e59b9843c623fa7ed3524cb2d

SHA1
8e9f8f8baca6af208862dc1cdb265b470089a9f4

SHA256
fb0d800722be665dafac1ddc474a2ef50ce7c80ae176a7f0844bb4498f62f4d8

SHA512
2f0bc75c63408528ee24f02ce450a4749343da545bd692ff73d84049c6b74440116f7c7fd375774bd5e43bdc54ed7f0807dd311682288d5f8edeed4fc830856b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b8366cdc40c70708d0658b876e758638

SHA1
ac1a97895fbf0f6313369149aff0118468ccc579

SHA256
761396feab79c6a1115d1bf3404498b54392ea86cddd96174e8428b8e947ce24

SHA512
fde9ca98b8c1148ee5947dad78f40d4601d6bebc8ecf4e347f3ec89e6b50d89c45c03a6e66d2343a0b863f52b8ea1d0ce787f99f5edd49326c1f371354e33da8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
56f44c2997ea3dc4eb756d8c7a7d574d

SHA1
0db542e3310b5d89f6d990df550b12bbddb8a4bd

SHA256
45a83648d0a029652f9b449af76e9e98e65306860631195855e5d5c2657c20ac

SHA512
83e2cdc94490481e40a4cc769e66944601bdd328a7fbf3cf913219bb174178feb17b8039313891991b24570e4821d82e0dbbd00967f537c78e2d56d9090c4012

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7aac48a85a1c05a9568b20278e1e9c8e

SHA1
26573cc5400d36c44b57211fcb1e0e091ae8e696

SHA256
04b949f9ec6b6f90744f2611293304d0a963027db9ffaf111a45586dd4116501

SHA512
a0ffef4116057b5641f67a16dc26b906ea025f3403191235d93d0b7348966eb062cb8a706a4102de1ed1d550e190729431222f607fb2972255e50df7584b9682

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5330fdf3125fe7768dbbbf1ac18aa399

SHA1
0f8c405cb5afaad8c8c85e9c82a6a06f5629c2c9

SHA256
54942ac6dedd2f12c652f856fc3eb056be243807ff19d5a27a0274ec81e6127e

SHA512
c5cef1cc0ad71bb65d6ffb8fb4508ea831a494377fc002403408e95d2b4153784bf59058a64681412ba1bbcc387eae2ae0176ec5aad9c31025f4848cf5462689

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f194d8c9b4ea52d76ee7251db41bbd21

SHA1
c2874114ff75a050682e9b696df70c7033313868

SHA256
a2b0821fb08888c59d49a9982e7a5831169bf9a9c1f218d5489b7eb34f4d2d78

SHA512
dc8e0028c298fa3fef93ab9f50c7e47b370f35c29d9080866382da71293b64309b94f6d7753243f3f15f7e81d510afe488cf723b8ced446909f5ff3c600670c6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
49ae74fec01f993cbbe2decdd21ccf7f

SHA1
ad6dbdf05a859066fa492cffa500f42762b6b998

SHA256
1bd35e5dc47f12c2f9c582aa3c6909ba0f820fe98fffa95cb4d55194f30e629b

SHA512
c5568a539a7f5dc5d67978ed891158bcfe1085d564d6bea9398eae0f70f85f1ef4c911a2cd62ada77eaf72177ccf734a7f16425dd9b8da2291650b3a439ee2f2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9fe8983b7d6b54ad1a28084880190495

SHA1
2d24b9bffcbde26941f7c5fcb6f28abfea489243

SHA256
f5e660a6073d0c813687bb540f7ac09e912e1269ff9bd01df635fbc49d5c1a31

SHA512
4576e7da40556fbc4b34d5acf2585059336de2ad9bac390c14909b1cab24b0daa7b416964a57bb884540eab5e08d7889588217e8bfda3f073f2e69224e83b00a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c37e8b99d410a1c3e82f8f149fed8df8

SHA1
85b2ccb18b1fb7278d08cdaf90029c73513d7afa

SHA256
5ad458f0b858ab6f659f28d3f6af3034c2408892e69e90b830e470cf54c57159

SHA512
295860f0da8aa563bbc5e57c24dcca6f14d1ed4a55524d00cf4bc8cefc3966c932c5174192d31c6917b940b057c2870cd146d3423506026ae7dbed110d9d5f1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8ba49e56d43e27cd249a8b9a85dafdbd

SHA1
d5806a742cb68c7d295ed207d2370e3ba1a25358

SHA256
cc956349b3fbbec506db3b20f0934b3b32afad390b00fda1fffa1348335d616a

SHA512
6f5febd4bfa129f4b410c1d15cb99e3a3d53a0f514d1978221180df3f45c604a7ef4ddece087d890855cb14c82a337c0f877952be5aa6425cedf1fe9e946106f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
33f739306d32e0d50b1b0337f1c2ee82

SHA1
6012c9cd8de9473e463eb41bbefea36f6a935b66

SHA256
80377b2eb72b59d2c0ad49879886befb2e9299a3f1ee6879f983e384bca019d0

SHA512
c2f666d6532cc09a04b632e0cedee320297e041ed3524e8730c684e15b1e7841b9483688a3eca1bcdaeb1ac54a6feff16c9152186b31fabadaceed83e9010b31

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
57def5d098b65ccce394e99c388db7b7

SHA1
4635426a09a31b6d90ca568f905ff7a15f4e054b

SHA256
d4a6e0b4005f1f282bcbabb1e329fbd50a5ad1dbd85a0cc54465e51549e3a8fe

SHA512
dda42457c8d5fc234255c72bcbac2084ffdbe03ebbaa8cb6a4fb70a5ee47e2f1fedfbaff6d405222f090b8b300c167f00923c90daf151ea95cb7e0cd5788380c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e8bca8ec310fac4e5a01e6bcf5c285cc

SHA1
d1e0b0120acf1e1e9599ad5db37f3c84034f980c

SHA256
53224b01d5822f733fce880f37f84e80e3ece06e8f25d3f55fa985736a6ae515

SHA512
9f242eab1a9132bbb2a7de11c45f6009bee34390ae6c619eae5c47db863d05fae326306ac7bcae09457a278770247bfd2cbcd70b4a700cc694739331dd1d94db

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
eb9703bbf4e888b403032122ec536e02

SHA1
3535b2378cd72204dba6d7a79fe3a9e239ce126b

SHA256
a85643e8dd2674557446b64926ec51545431838ff24b35650aefcfd781dd326b

SHA512
70f9e83aa85219b82699bb31b3a8d40fcf809d2a12bc38796be375ac3a8ed1b89e75142bf4452a00dd8e60868eb84aa0447cbadc7b6a228b134b3eb40bd2ba65

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
3a2f222f9a8ac871d6f548efc7b424f4

SHA1
f982d6d9bce2dba57ea98d659e1ac7da46cb2118

SHA256
f275fd615a5cac7e9067702e736a58d066156b64e6688effbf0e53b2f3825679

SHA512
53f569d136467185df7c505439704be69f540aa06d7b46852d9a3b1b528c7d8f9539339a888cb65b34b4c6a1c06561eca5e02188083c200e86a012e9040a9cc4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
3fd7d7f21036bed462f5816df4affc2e

SHA1
36284843331458f60ac33e054aae0f9fd08fac8e

SHA256
e7d2d57503eeaec44d5ffc858674fe9decfc0556dc29f0e5b56e759c940f1e96

SHA512
27c771bbf17ad5db913e3cfa6a278f87af00698b15d31dc80a750e70748723727af583dbc3177b110553290734c5788782d1d397c820f5f2020c5460c90bec9f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
5696fe77eb701d8b00e3687e88360b4a

SHA1
a94008529597bbb3f903d8ec6258ae835959fade

SHA256
0a27a644137a43a728bc4cb6d9dbb7ec39d668847cbae65735cf28c39fc8e6ad

SHA512
82ccee178e14f4d475c2e80a26f29d08432171b625f73d67a976eef2553bb3e6888156ede71ca9431f9c15de7037131133b9b5e69e0c45e463e511a18253c901

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
1dcb4a2686f7bb1bdb9307b1b37816f5

SHA1
6f75c49c997400b144496fb1bd1c80d79bf4bc97

SHA256
1826da166149a122ac0ba486756638421fa91dd11df8c562d4cc339b7617e012

SHA512
2c54c75a5d4b011bdc1e479e80d134cf3ee994e79012eb8d471815aaa206e84f8246554ed0a644db0468c8c6fc1473e18e776355bc6881e035213b41cdf89370

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
69e4e0e0cd725e103329f4a7da72cadf

SHA1
3600d9a7036088b7815099ba0bc630602ebe9d54

SHA256
c709e56537f407c93124a7d557f214f6a928936d7da862f4f1bf290a9dc64ca9

SHA512
d03d1b93df29a9902cefd690b0f74efa1fe03e3f9d55deb23409738c9a5823b66edfa25adcbc654803664ed53bc78725d6321292f1bd5c98d6b481071ad31e0f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
8da9c2549d5b990a0da09b0d21754cce

SHA1
5547a3478da67f6f8c0cb23e4cf47207bf575537

SHA256
6f5ac0f392105a0f5b3931e667335a4f3c3aede57600e64fef9bab5c09cd32e7

SHA512
3f56486f7ddce61c99eacc438abdbc06addc77eae45818ec2c5a11639b30bdb777a0d67216958ced4ed51aefbe4f05d2dbc1cf95bd35c44edd55d91c7b5c5a5d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
2ae4ba9f50b27e377cffd78fc8177fc1

SHA1
f9b6ac56c2b687ae0b8302d88123b0c52c8452bb

SHA256
5ed51e1aebcee5afa92ccceab29c730f451cdbfc390a5600ae704446f406de81

SHA512
79d003cb3be3e0ae1ab7e2513e71d38eed682c089eee0981b7604db234108070a070b6ce137c281af539c90d92db3de69a84561e332e0ebde7adb097dabd885c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
82d3d705fcea44f52eabfa105be4bed6

SHA1
a583f127b444d6bca2d48d5b08f0c741885c3d80

SHA256
5f7bea95bac3b6f3e7b030e7bb6bac5b9a9913514450c793906a4d003874e12e

SHA512
53c85589d99467852f2d8e580bb72757fea01a237a2fe89b067caa94003cebab64011664e97ba8e5f3f171ef2ee719a66e9f0bbd284071f2545a9da18de8b97d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
56ea48724f1f66e540ef96f63c3a8ccf

SHA1
f62ae90ee44bb52cd9e385fbe9c402e14a3c0502

SHA256
75e040465f2a12a263cc0587bcb75ae47ffcc97407ac55dca76703ce614bdf97

SHA512
95a3edfc006b3fb2b27ec537a4220f88532aeee1097257a0214a23302e45e230e2b658dcac11c6a5b4f1bbcc850242e1e6aca08bfefbefd96cacd92afa0140f8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
03197977d3963256b7f61109310cf18c

SHA1
de4caade5e1941a99b6a92efed8ff83300c63ea2

SHA256
4f290aea1302ff4e081b021a183fdd7ba0bda199c400e46c7def9adbe4f26885

SHA512
8ca95d4694c993511b5559e8e9cc7fffe1bb1c7474db98775ad763a506a122baea2ae4cd0ddb8de036dd4db3de246753ae73208800e7b131a27461cbb080f0be

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c7be43ff528040eef7291f9f2b613505

SHA1
bae2314aacd8b2a16daa4d9a146cd33e425d9c7e

SHA256
a82ce55363dc2e5ece45c6fd892d3aa0fbbf97b3652759e13d495fcaa603a299

SHA512
e25292b85c6b01786d816f5c0fd282319f93bf0741fba15360731b5fc575085e27740470e8e70b19ddeeb5c380186c3d49cfa8ae62c7ae600ed62b698d2c12cf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
fcf13267b5db9d018fe62d67fec8a822

SHA1
a86d342a7318ea89283484a8b178a681599eac5e

SHA256
9756ada6371e36577f454d3a1fc9291dec1c99286cf79a272348f497faf2cbe0

SHA512
3f6eb41e4fc9d3145a137cfb72cdf5e6ea725495c22df5fef94ea4ba7203a979e5e305250195ce391feed6551e3b51f06c9dbca37ec6f63a3323cb9f4c38ff7c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
fa07f6a15febda28e0143023892cd6b0

SHA1
057c698e17b7a58975dc70294f45bc3397b1b647

SHA256
b298c14282176f9819c4b6f1d9a5ef50513978974142c2b936bb0161dd3cd674

SHA512
d1be5c594ca0787158da20bfd6a06f4cd4cc6a64a28fde6f5f933218f21230cc287f535ac8b3ceb0b0a29c816cab7ea56353f68707f1a1ecaa28d5f5fdad957e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
f23de98418241d3aa741efcb2fd3bf8d

SHA1
e95c6bf78622995d4ae70c1105d43c188c9b1b15

SHA256
81b0cfd54fc95f4e20da46b210c00438a8ce9e870b5b271203595c608214aa09

SHA512
e5f8c4454570ff204dc95ee9bc25ffcaab47fc1ff48f0c1def7d350221ea88c1a08e557545120d2afb123ec04018c8ca7f3767a768ae97145aa35d6e8991c3ff

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
2d04ef765465a38afc857051861a1d06

SHA1
5ca094e180ff0f4b84b7d4af5d26c14d71cb22a0

SHA256
9f0dfc6dcb2375649917541378c53609c3083a567c1c87eeb1c064b8ef3ea3c2

SHA512
f92ec1405df0038688bbc7903afde2902bcc7081b81a22ca4f46073b6cc06fddc84113f8d283dab4b33bd5aef6aa4d5cc9391fb20ed62d53a3ef3765a6b31395

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
f39245c94f46b47b242a59131379d14b

SHA1
c87f30fcc1076a4dae0c278a4ffca2846a4e4b7d

SHA256
df8c99dfd2c4c4dbb127653bb2992841e697c7ea9f1b1001e1f38e4bfceeb509

SHA512
151ebabd04af5788598d897c0ba3bcf3e68e1b094faad7a18d320d57b2c72e65ef7732d5a91039cf38ab769d2c880dfb6d3c3e54bdf75d4d9ffabb53b82e50aa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7dbb05333a8c4010b3513ae24e3666ef

SHA1
b248939018bfbf075a3de5b09b821e0401ce3c49

SHA256
daafceded932538be70967a9a2c92d60622adc1c494009795b963e7534ae46a5

SHA512
f67df0374164c8d3c8895df020e6bfe82fa10c73822964851465d37ba6424a847284575c922a57d012cf1bf719c0fd4cebbe7e827d5f24778686c774b4dc8564

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0e2068812d352f31b94a4e8388732009

SHA1
c2df8841d37c6364b8b00fafd85353d32e0c4b55

SHA256
fc5bf4833b61f1cfaf425dbdd2b4f7ce22542429afbd458255fddde54558b112

SHA512
5096d48d931f084ad010a064276f629c6a34e96528d134401a3a1939a7bffb260deb76f9c2e7c726dd263d39aa2afa51dbae08ba5b350e6df772ad0ee223844c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f83cafbfc029f418a9f020604865cd4c

SHA1
ac50435816364f40f3cb9a324bc6efbf80f88ae6

SHA256
6578542072e2f2d4efa98ece87524fa8149299307a0e82b3acd16d23405a85a9

SHA512
3e11b895bf2645a25d15af6fda12a8b5244f25027cc5ba3589ee199b6c37c21af82a17368569ed76c2f43ff9e28e15442696670d52e423a1165a59518debe372

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
40c60c50f99345369763adf92883ab48

SHA1
19ee0a30fad895da3039734f513577887bb60a83

SHA256
f931d77083fd91cfdb0ed15fbc256caf6803b50feaeaca6baf6ec22597ad74b4

SHA512
87947b3311313d3416b7cf36d7434b19041177fd8943a0916af252d283172b522dc059e5d0d5c6e966754144e28ca3351ade35bab9840c52b3203b65463f3b3e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ea6c081a6343a4c239e42377698c1681

SHA1
3dc1d23a59b7634225d1da8485db0952c9dc44ce

SHA256
fe26da2135520623c029fadab39d33132f039bf80bc608d126211ca10b7fcab5

SHA512
f2ba26fc829f68e226a842e5d74554fd67fd04bee7aa3158d8916c7c15cff830dc78f6403cc2c0773c0da8fd5d95c6857ea3856246b71f052db7de961d08b7a8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2045d17955d703a4436f09bd6e1d7b52

SHA1
163e7c93ade7667a907cad10c7d43b72ffbfdca7

SHA256
f06b3aae4a80faed341b4f2c59aaf557bd6017f111784b2a251540433f691f55

SHA512
e0f0a8e333875dd2ad1270f7ca4232e9a7da3f05592b314b6b7c2387515a1b236cd8c483c5199a09b1a84d1c75ae3f7f38f920528d479d8c3c5383a044cce897

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ed949d9e1970c3c85a3de4b7ee66f074

SHA1
33a855ec48db801f605e708052df1857a677979c

SHA256
94901b091108b84e58d1bba4c377deac54d87aff6467b24478597f181c300a41

SHA512
ea68c7944cbb396e0bf7a37be310dde3a25a85032c8a2ba0047cefc29b1a08768eb9424b5b9f6d0c39aa5e33f2cf604f70bbeaf2005ed82a5340303cab1376a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ed949d9e1970c3c85a3de4b7ee66f074

SHA1
33a855ec48db801f605e708052df1857a677979c

SHA256
94901b091108b84e58d1bba4c377deac54d87aff6467b24478597f181c300a41

SHA512
ea68c7944cbb396e0bf7a37be310dde3a25a85032c8a2ba0047cefc29b1a08768eb9424b5b9f6d0c39aa5e33f2cf604f70bbeaf2005ed82a5340303cab1376a0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
32ab1e25c8897421f21568088d1432f6

SHA1
ced781d53c43a00f3cc6e65ca4670aefcb01cf09

SHA256
73042c1d33ef27e1b9c1a06ef152a8fc35cb0b98f10dd30d7075b910dbbb327c

SHA512
1cc182073af68aa66311b239968b784b27f0188d683e0afaa0d332df8bfba21a1248969c9050fdad570a2691b36c387bfa714be08bd865ce72ed5d90693d647f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e0eaef0718f0874b24d0e9630980132a

SHA1
b05bdf6f2e82b8f4c3fb17d459bdafe74ff292d3

SHA256
6445f282fd432ffd0a657ae0c1cbf9935023f2b188f9da4bf55ab6a55937526c

SHA512
179d429565891babf6daa8bec4114020c369eec08f9f41b5f4c51d60042c07588b1b6457c2907c1c28f0b34e97d48017ea9d01dc12c4ab3b1dc42d490fbca13c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e845dc923cc6404289c0ed3f68a3e0cb

SHA1
1600fe6dbc123a1e8dd3269b93a241c704f1243b

SHA256
38053c5e0b934597cfec047374962fdfe3ed957654c1e691f8ce8373294e8440

SHA512
57b0ad326075cca2c5f8c1de44ba27c0938ebfcd3feb2a6c5ecd533edebedb24bd0e3d6da6d3b32b439adfec4eb7d20a50b76a25cdc4fd2b87e7730c93651505

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e845dc923cc6404289c0ed3f68a3e0cb

SHA1
1600fe6dbc123a1e8dd3269b93a241c704f1243b

SHA256
38053c5e0b934597cfec047374962fdfe3ed957654c1e691f8ce8373294e8440

SHA512
57b0ad326075cca2c5f8c1de44ba27c0938ebfcd3feb2a6c5ecd533edebedb24bd0e3d6da6d3b32b439adfec4eb7d20a50b76a25cdc4fd2b87e7730c93651505

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eba58140130943a51cb9b1c91d703239

SHA1
80b5c6f47d2a85b210ede2af3f1e3b4a19a92c7f

SHA256
ef725ca923838bfe14fabe6fec7bc7e0db8d259bb73e9f233054c8f015a50e2b

SHA512
4ea838220ff238117098e009f46fbe84208ae93e472432b5c542f398a2f6c1b148a043f3ea7cce7fc4fe25065cc9979ab66bbfdd8a0fe7fcf2c8e25786507b2f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4da580935d4c731ee5b85efcdf450751

SHA1
3bd2dfec8b88eca86dad5930676e8ab9a05f3bfa

SHA256
9b9fb6d91195bc453f7caa839ebb7af7c5570374cff81e4d538f45bb0ed3c95a

SHA512
4dfd38b56820eb9cfd216d9abaf0abcf724f871f9f202b5225877ef74e22e648ceedfe0d9f6466cd4cab34577677b802e716c184536fc8b2fa44e01339b1954b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1bb6d3bab0ddb5e5a3cae01f629b2275

SHA1
e3e090c37d4c7ace1b6c0b5c3dbb087e45d6fc50

SHA256
0d237cddcf5000cdb06f5562ea3fa03873d69d9e9b62d8546e967f2cb6379c82

SHA512
8fa43ce415bc2a26c84c1b2bc88563bdd1451560d708bf1fa668ed916bfd7c7b715acefbd7963e1e6ada9bdcc7ea43f3b3ca1c43f6aa64de3d58b624838d8e91

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4e379c6f4726a080ee37ddfeac5b1599

SHA1
c4a319dd54b4be761b013b1090d99b2cb7625fa0

SHA256
8fc926fd0a0f18fd6e520ffd40bfa56e963cc66f49848944c8e75270d272f3ba

SHA512
721f1371f4a69a7660bf7b6ca127cf5e6b80b2ed6f095306b24e59bd7561681d3483b32a2bdd438384324a861e2eef8b88148fb1041623994b2fa9326494b2d1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
fff6234ad58c2b03cca15ac155a3e4c3

SHA1
6eee863355a5e133ae2966b6eb8ea867a35d5bb6

SHA256
6c4cc2d515c11f550b7137e8b19ffca127f33ed615535bf9142e83a9f2af587a

SHA512
005399f310009fe1b1b1b6f8095201fad003c8e872ae943c391b86841b59845ed2158bf9656c0b34950be56d70eb39e657d05c875358fc0e6b0e203a46ca9b58

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
49ff038367960ddd7d9672603f7720da

SHA1
f3057e14f37bd2a951edf89927b5297909b336bc

SHA256
0ab9863283d6dfa542051c93033f365adc9dccc9fa8c0c664d7be55fbb3b642f

SHA512
45a9cfc9352bdce691469b4a31d2689420724d351b59c99abdbe091e03bedf423c08f9d5b622f5a3df04a34390e0f0f7afdba78c5bffa7de0b1b8e4f07256f7a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
589f058bfe695a93a42f4a771cef16b5

SHA1
cfdd358151ea47f98fd1483d228faeae3fa8c56d

SHA256
22af75a0d213ba6abf3572c9fb6328c6b799cf16825ec559d145dab319ef1cff

SHA512
6c44668540ea29387a7e15196ce866607d5d01e11bad1c591814bc5f9bdb0f3188323325980c1f04e51165fcfdbe84fbb38c68ebc54850e989cf4f60489328cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
518b5d0b59b5d9c5ac2ebff1f73a766a

SHA1
772df5f44c17fd3b66a16e9ee9ecc02004c58c8b

SHA256
f5d09a474e161a606a1373a84d1da5ac81b972555a6ba4ab8997e9d86a3fd420

SHA512
a4bd446210d26f5a31f435a13e87d59b49f3baf3d6541a4a836408ab0c584fdf4cd690132012508903a13eaeb28b63646e407ba2998d9b586d7507acb4cf4a02

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d8998e0927b75b6f905476069b4b7ea8

SHA1
a99b035e6b2353f71b3c9df218a1dc25edc83912

SHA256
e048850465944214d318bd00a7a7746271b8bbec89a66ef869e4e8d876ece602

SHA512
9297d212170ae5d46def649e941175ba70b7f55920e78456e8950054695ca7da5945216a7675f6107e038b44816307238c428f03e47ade477a93f59de8a646cd

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
f83cafbfc029f418a9f020604865cd4c

SHA1
ac50435816364f40f3cb9a324bc6efbf80f88ae6

SHA256
6578542072e2f2d4efa98ece87524fa8149299307a0e82b3acd16d23405a85a9

SHA512
3e11b895bf2645a25d15af6fda12a8b5244f25027cc5ba3589ee199b6c37c21af82a17368569ed76c2f43ff9e28e15442696670d52e423a1165a59518debe372

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
60175eb9ce1a9c853b728c8c425aab82

SHA1
288a32b66565085d4ea92045e63f42a2d0afc3ef

SHA256
a9531f1dfff720d785a17c2e113c76de57c8b615eb9860e42aa612bd61ff3675

SHA512
f5d7806953bcf52e647e979d21f6ed9d28f1f6c7f903cabf4a65492c042eb5f61c99bac44f6a8629493f8df923ae310bfde25947b8ee6b57c727117c18dc2041

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4122d69eaf4ce902e3818439556436a1

SHA1
d65c664a9332ea3bd6ee6ea7311d78efc15eea55

SHA256
e759a17e2154b7133714ba23c8a309e485ee63abbd5a9ff65cc2d16ddf524e70

SHA512
5fe2ce3455880061291551a799259d4eeeb28a40de076d445fd8614bba3dd69affbefe372683b740499eeb29e29ed40ad237118c06ae8a987fc9aef9a66a5d0b

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ea6c081a6343a4c239e42377698c1681

SHA1
3dc1d23a59b7634225d1da8485db0952c9dc44ce

SHA256
fe26da2135520623c029fadab39d33132f039bf80bc608d126211ca10b7fcab5

SHA512
f2ba26fc829f68e226a842e5d74554fd67fd04bee7aa3158d8916c7c15cff830dc78f6403cc2c0773c0da8fd5d95c6857ea3856246b71f052db7de961d08b7a8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
98ff8c8ef35c6e892dada40b80b05e39

SHA1
4279fc2c7aea697ed940a6dd676b7a6481bbd34a

SHA256
af01443a39c7c67f0678a6197ed549f004c3ecaaa2acc1d17fe862a1b8cff281

SHA512
7d9a8b25f20a56838dcd4819560684a4c73db568a511906bdedc4d2c1f596fa80fbbdabe24cf6c2c73c76ae7f50507d9a493bd6224e22c18aa4b621634265b81

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
fc963db72343d25d7b475c466c6d6ba1

SHA1
46eeb4f6a0d8b99f3fcd9f03b408652d693fb09e

SHA256
d21debbb58284023f94f8e876e62add7484c9f5bc5a9a46a87f7dc0b622a7cc2

SHA512
ea7d2095932c7f53ed558ed8c10fc611e84fa1aad24a65b0a340bc6e2507c180042fccd90ba68672aa035c7e08078791cd487cd142e31b94d356595d903630d0

Download Submit
memory/376-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/376-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/376-144-0x0000000002AB0000-0x0000000002B16000-memory.dmp

Filesize
408KB

Download
memory/376-149-0x0000000002AB0000-0x0000000002B16000-memory.dmp

Filesize
408KB

Download
memory/376-533-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/376-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/956-277-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1204-436-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1204-622-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1452-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1584-592-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1584-235-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1584-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1600-201-0x0000000001300000-0x0000000001366000-memory.dmp

Filesize
408KB

Download
memory/1600-209-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/1648-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1648-580-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1648-202-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1648-192-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1796-279-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2080-220-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2080-226-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2080-229-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2080-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2180-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2180-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2204-669-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-638-0x000002032B450000-0x000002032B460000-memory.dmp

Filesize
64KB

Download
memory/2204-686-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-708-0x000002032B480000-0x000002032B490000-memory.dmp

Filesize
64KB

Download
memory/2204-709-0x000002032B480000-0x000002032B490000-memory.dmp

Filesize
64KB

Download
memory/2204-712-0x000002032B480000-0x000002032B490000-memory.dmp

Filesize
64KB

Download
memory/2204-713-0x000002032B480000-0x000002032B490000-memory.dmp

Filesize
64KB

Download
memory/2204-726-0x000002032B480000-0x000002032B490000-memory.dmp

Filesize
64KB

Download
memory/2204-730-0x000002032B450000-0x000002032B460000-memory.dmp

Filesize
64KB

Download
memory/2204-731-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-732-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-733-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-734-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-735-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-736-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-737-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-637-0x000002032B430000-0x000002032B440000-memory.dmp

Filesize
64KB

Download
memory/2204-685-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-665-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-666-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-667-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2204-668-0x000002032B460000-0x000002032B470000-memory.dmp

Filesize
64KB

Download
memory/2492-324-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2600-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3344-358-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3652-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3828-180-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3828-200-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3828-188-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3828-196-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3828-183-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3896-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-328-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4368-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4380-394-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4624-216-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4624-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4624-582-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4760-333-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4760-607-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4876-534-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4876-164-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4876-156-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4876-161-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4896-139-0x0000000006840000-0x00000000068DC000-memory.dmp

Filesize
624KB

Download
memory/4896-133-0x0000000000410000-0x0000000000576000-memory.dmp

Filesize
1.4MB

Download
memory/4896-138-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4896-137-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/4896-136-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4896-135-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/4896-134-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/5080-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-606-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/5096-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/5096-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download