blustealer | f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2023 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT_copy.exe
Size

1.6MB
MD5

3acff0b9068df07116870bf461f4f7c1
SHA1

fb7c0e6fcee327e8ed755e8f1c5199f35a3c4723
SHA256

f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2
SHA512

0bf707bc83a739e6ed63a56b76323db9c59fd6a3bfb05c760adc77cf918efddf1d9d4769bc14fc5846e0c1d836e3cefc8169778d8c0182e20a0a368e80c6494d
SSDEEP

49152:zxy+4OponS7iO7PYPhR/vNv1YWsWXLbZG8T0Zh591z:MKpoq57+/tztXLbZJGT

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3476	alg.exe
3932	DiagnosticsHub.StandardCollector.Service.exe
3424	fxssvc.exe
2484	elevation_service.exe
3776	elevation_service.exe
4224	maintenanceservice.exe
5068	msdtc.exe
4180	OSE.EXE
1548	PerceptionSimulationService.exe
2120	perfhost.exe
2264	locator.exe
2304	SensorDataService.exe
2948	snmptrap.exe
1400	spectrum.exe
3820	ssh-agent.exe
3792	TieringEngineService.exe
3620	AgentService.exe
4952	vds.exe
3916	vssvc.exe
4224	wbengine.exe
3288	WmiApSrv.exe
4040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\locator.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\96878860ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\alg.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\AgentService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\vssvc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\wbengine.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	TT_copy.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\vds.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 2376	4344	TT_copy.exe	91
PID 2376 set thread context of 4092	2376	TT_copy.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	TT_copy.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	TT_copy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	TT_copy.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	TT_copy.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	TT_copy.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	TT_copy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	TT_copy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A100221D-7AEF-402B-B05F-21D404F0BFBF}\chrome_installer.exe	TT_copy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	TT_copy.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	TT_copy.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	TT_copy.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7d80afa6078d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3c66df66078d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000541f68f76078d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003df344f96078d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000649412f46078d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000769080f96078d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d03dfcf46078d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000528929f56078d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9f66f66078d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe
2376	TT_copy.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2376	TT_copy.exe
Token: SeAuditPrivilege	3424	fxssvc.exe
Token: SeRestorePrivilege	3792	TieringEngineService.exe
Token: SeManageVolumePrivilege	3792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3620	AgentService.exe
Token: SeBackupPrivilege	3916	vssvc.exe
Token: SeRestorePrivilege	3916	vssvc.exe
Token: SeAuditPrivilege	3916	vssvc.exe
Token: SeBackupPrivilege	4224	wbengine.exe
Token: SeRestorePrivilege	4224	wbengine.exe
Token: SeSecurityPrivilege	4224	wbengine.exe
Token: 33	4040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeDebugPrivilege	2376	TT_copy.exe
Token: SeDebugPrivilege	2376	TT_copy.exe
Token: SeDebugPrivilege	2376	TT_copy.exe
Token: SeDebugPrivilege	2376	TT_copy.exe
Token: SeDebugPrivilege	2376	TT_copy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	TT_copy.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 4344 wrote to memory of 2376	4344	TT_copy.exe	91
PID 2376 wrote to memory of 4092	2376	TT_copy.exe	97
PID 2376 wrote to memory of 4092	2376	TT_copy.exe	97
PID 2376 wrote to memory of 4092	2376	TT_copy.exe	97
PID 2376 wrote to memory of 4092	2376	TT_copy.exe	97
PID 2376 wrote to memory of 4092	2376	TT_copy.exe	97
PID 4040 wrote to memory of 5108	4040	SearchIndexer.exe	119
PID 4040 wrote to memory of 5108	4040	SearchIndexer.exe	119
PID 4040 wrote to memory of 2172	4040	SearchIndexer.exe	120
PID 4040 wrote to memory of 2172	4040	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
"C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
  "C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4092

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5068

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b2e24b74e505d2d8e35a1295f7c1e69

SHA1
e05b9bbad2f4f34fea66de000afb05d378e68244

SHA256
2f1284ef069299121c3ec299c7b24dfe1a5bef67d1e2a6487c5444b8b0abd042

SHA512
42f1c9ad1487a2dcaf1ae04675cf434c6bda043403f20126d69741bdedcb708a59a455300b188ab3e62a429a0fdeddb4dd10ef9f41d9c2380188594df7434bab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3227bc486eb250b86db0e477322a2c8

SHA1
1c1946f144a49e2011c7e5065ce9ffffb119a889

SHA256
fb472bebd4aae4c9bec299a1b5fcddda8b1261e35af9518475587e5f42fa816d

SHA512
e9556956473435bd0b9049e1675ac4b1ee3a6e327485d6a581685f8340d63ea7c63047692580b5c4965f825e7c8e5561394d7cda85e64dd0abc08a2286de0a13

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3227bc486eb250b86db0e477322a2c8

SHA1
1c1946f144a49e2011c7e5065ce9ffffb119a889

SHA256
fb472bebd4aae4c9bec299a1b5fcddda8b1261e35af9518475587e5f42fa816d

SHA512
e9556956473435bd0b9049e1675ac4b1ee3a6e327485d6a581685f8340d63ea7c63047692580b5c4965f825e7c8e5561394d7cda85e64dd0abc08a2286de0a13

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.2MB

MD5
bb320ec14d9f6297e8061649aef90fe6

SHA1
fb0bd543fabe5b98bb4595c082bdb23891f97b40

SHA256
363968a3c16f34b7445399fd61ff9552c7bcf83dceadbde1c593b786b91b6c87

SHA512
0aee57754b7cce04b6da395cb881ff8d7714e33348803fe9151815788d5adb3a7c736b0a8d2943ff9538d3d882e1b003a963fda7bc69cf7aa47845d41a7305fc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.2MB

MD5
50d41e7d55d89aa25484d396e2f775a3

SHA1
9255216c953cf6ba1de6073c4f41543a54351f79

SHA256
35d11c0108923133d023ba33ae8e56b5ff03dac5e9125ee30790748307d3df71

SHA512
d046ddbf9362d55465a0be84cfb5a7a5fcb43acee57657088ea1b23cd42d39c509fc493a4ef93fd4f9020663142a05442792af82e4989e079452ae5eec9124b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
250520bd491dcafee3cc0969dcc6bee4

SHA1
1a1b8813a004a0ad55da8ac062bc436ce9f66a90

SHA256
790c6a6e4e9c8f4f3a3822d4e341c2139356c7fea35b88e07f7cf040d7c77c79

SHA512
dcd72d62912e3bc77b8860bf41efdf1caf8ba72dfe8da4ee33d909f19518e44fb68a2afc8e83986535e52ed6a81886edbe4dc3d39337d8eb251b1a88902e3646

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9d342c75d1f369b80476b41f202c7b75

SHA1
9bd49eac96159f30d267cff86197b9bed8ce1043

SHA256
7c7561bc1ba0a7f6d2cead7c62e24dc0d5c230c74fb45a40d2618b3276cc7a82

SHA512
ffabae0d84863bb388bb4044cf5f285497bcf7c90466ff87317c509a99ef287152d10273b889c2c2830db885af851d302214c5ec6060b652066fc059bb43cc47

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.2MB

MD5
98ca6b52fceb963a1d9d125aafa29ab2

SHA1
906a8acc2e87e35b36c193101ad58d8d96d6582f

SHA256
217f4452468b2aa4aae8e9f88ce5db2bac4b8d9791a08744c5f3a24880ecf9ad

SHA512
2ea5d67838563d34f0629a70e5c235dc7264f1d6a86674223ec7b1c9e534a1742045007832bf0bb44a6ab912d5c4f8dfe3afbadefc63bd6abe1eacacfc1eaee0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.2MB

MD5
218eb103c6b93201a5e1df24e5ec70db

SHA1
f7b400814f4f2499c80534b035aa3bea467f5aa8

SHA256
f7d548ad6c77fc7dd58b37633cd2c479db999a97a95b004f5da099dfb6471513

SHA512
8d31980d9aef01de853a911f57b48c62e5e8346c8e2b18745c3bce0911ea497e41910784a11038d5dfa8850a52ed78826d2cac76edfb971c04f47cab55f77829

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.2MB

MD5
dac3aaf109de92738b33fac70814433b

SHA1
f6270abb56c2f2dd5bbc63ebd5a82061d910dc70

SHA256
3581f939926ecbfc7ef0087c3923984925396e1ead28f89dc60c74b359842cfc

SHA512
54c7a4166e0ebea8e1b1a6152fada0d48c636fce6b7381a7d12af7f0d2fcdbf3c667f46585a29ce3ebf59beb263ecaa8056c6e73264c2ce9e7a5731f3e8a1b9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
0475830bf8a6bfbf1ccb830603772e25

SHA1
58bfc7ca6706b4424d231fc3861c1dbf51788076

SHA256
0e4226bb724b68fa737968c63572be55b360af05efa8641854933e34c93922e7

SHA512
62a8cc3be6a4d70d79adc5bc873940d094d842f8cd1d95d7521dccacce4e8d8271f216e0ddb09eb18d737fbdd6345c6622c6f8a5620788973e4f5500bcd1f426

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.2MB

MD5
5b1b1202f00f2bf56955b381e48b4d10

SHA1
bc1f477f8914d66fdcc610549a11289195ca6556

SHA256
850cf9fd8f27f942843511f73f605d41c308054a51e009397815e9da7819d2d3

SHA512
87e8f955ec01bbcec77f991b5695bf839ed1f5d1a88afbc590a3a712723a509d35a8cda0ebe644ac06151912aa5fbe4921572c46eb4ef04d5506b0c9407a4e4a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a7b916bf71882986eec962e0ce9bb3fc

SHA1
864bd530ce636dc0fc1e9a95516cec718bb33988

SHA256
5cd89bc59431bb1896f611335793fff8903d59951902cd24d9dc4690561492a0

SHA512
97dd2c20955d81ece499ce2941a0b306d80ab8ebb69df15ac29aa6b272eeab8cccb259aac0d4450cf7a1de859161da26bfbc98f933b3f06040b54a9d8612c779

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8b59a5895bd612b958f784a4fe4561db

SHA1
e3fdb6a936eedea0ca16829379a2524156c6f373

SHA256
65c80de1ff0bff4bd158a4350450f51242ed364a8d34235210d592cf08f6cbd4

SHA512
6a85159ff93ddde5ca5bb3d21f1b2d5f4e88d3c2ac235b8086570410c1b3b74e82f07b67c5d61e365f7d1b28f84b17dc6f98418debca1abcb8523dd3476fda9d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
e03f174fc000651f0d024930d7837432

SHA1
53b8dbad9294c0eaa62f4bb009698292e244c102

SHA256
c38a77070b20b2ed91d51f9329ae9d1c09d1efdb0b81e6a3a1bcb245cfbff033

SHA512
c58fdb23e283e4e585d2ba9182336d9b1b5b2b474ec481239c39925e2e9435b6d91031f69b892ae589e9d19d7df0a817437dedf0d5a1b5022196929e02288d85

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0f2f5d2cc17de22356e4f50f3625feae

SHA1
31e26ad90b04e1f74bb7deb10d3679aee0309192

SHA256
8d13f781fe31da38dcb0c75ce4dbcb22515babd9029aa3349f9fe1bef86fe468

SHA512
66f45b4c423f87e8219f3ddf552d2a0706d3d1ad870c2f86a07d336f1141f32bb034693ccca11180ee72946121673581e7c6e9ac074202fc0c32313b2d01f7fb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f565177f69b54e48c7c463d6e08dea1

SHA1
20f27d8803d6deb75aaf6ade5a5d1806babb3d24

SHA256
9dc1ef4495160412564d13e5630f3402bb622ab619a50383b3558a4c5f7eddff

SHA512
762d07d9d2cc5d186f3f0d675dbdef1f2525447537f66c573cbdb01f803d24b75b473eaff3578166ba7b9375cd3b88782c0f551d4b93a39657adc6fafd9ff035

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c1644354a6784db61c917b2ecb1c8d96

SHA1
9ebdf12822cac02dfe617a82883452d49d4fff2d

SHA256
f2d916e8a9f171c1337575a751fe448e1c2652239ff531061b2e858a3b3b14cb

SHA512
c3f8f48b12c76f1fede9764409ca178462a017d510c4eaa83c7cde6ea55e0f509f9287f06075730e5b6c69916c6008ee903fe398345e071ca20ac9b24101c563

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4f4358a0d053aac8287395c8ecf795e8

SHA1
5d965b2b7e286336ccf16cfeee2132848b5267b0

SHA256
eff2d868edf93f157d70cec2d65f93e92b3795b841ba8395782e2018b5e33e8e

SHA512
2b34dc272f728f60100ef0ac91cf4e42ef2b813bfc73e1a392bba12fc1a8dcd3836ac36cdd11e8b6d68673a3f3207d1b7bc0ed26f8a5de3e891e13c74accbe1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8436057dc69d0b799d9bc36e371b5ec5

SHA1
6a316b398adbe938870107cdf35aaff240e339b8

SHA256
220ad70a1afb4e93f84ddeeaf1ec70323713ee210a618ca2bfc135404555df21

SHA512
49e41c648da343fe60aa5c3c6cd7775ae27e306d68c4dd43a8228a0e743ae4f5f4e30dec4c0cb01eeb41f151c62167614fe11ba3c9456b10cdb3cac678a6d453

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65e8e28ac7733fe2c00fdf1cb535f720

SHA1
acce67bdfe02866adf627d006225a05d4ae369c7

SHA256
d8d52bcae3bf257169e271b73915c5979ab9c4e2d2caab63ca0441b728fcfe3d

SHA512
df7ebea75590dc187f9378887604d3149a589340dc1e6c357b84139f9bf631fd56e346e483556ceee580a1f54aee7146f7849f0a28cc1b91987446fd993c20a9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65e8e28ac7733fe2c00fdf1cb535f720

SHA1
acce67bdfe02866adf627d006225a05d4ae369c7

SHA256
d8d52bcae3bf257169e271b73915c5979ab9c4e2d2caab63ca0441b728fcfe3d

SHA512
df7ebea75590dc187f9378887604d3149a589340dc1e6c357b84139f9bf631fd56e346e483556ceee580a1f54aee7146f7849f0a28cc1b91987446fd993c20a9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
60632e4b073fa308703c27cd62bffdd9

SHA1
d5f5ded28685a7adf7f376c65cd8940953d61418

SHA256
464693bf6fc7be61d1e4c3678e480ba212ccf9fd32aa19484c0be20ca48c15a9

SHA512
a3cf89d4e64c03ecb58736deeb1439b9f5a16b31d299b7391355f11d9ea3cbbb3f13ddbfc8c750e5f37f58cefeff45ddf2d11bf32c9c55405adc36349188577a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
614f9b6efa426ce1066864058ddedf91

SHA1
50c2df4fd5cc000cac7ec5c25171dbaee1780036

SHA256
97458fdb975db507c50a8a77b61605ef8f572390ef92fd074b107856ac6a9229

SHA512
fe1cb622014a06356607bdd95e11373f8746791c45f5be4cb16584840ff7b327aadd8280c4c04acf1e9e128856b84e0b3fc8997fc28fe02a1b1916d8588a260c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f279364869e93b04f31e878cc34d018b

SHA1
2642aa80d7d2d93d0b3a4524a232ec12f1006fc6

SHA256
72886bdd4050f4f728204e89638ad0cfc66b0f5cae27b7c2607d2ce70c1d6328

SHA512
cc90f59b1b4daa9a1bfe7e243e201c51f16442b06f2a27ffcf301c79edd5d2da69d52fa751ec70f11a0c78d26e556f7e205d070af5fd6dfffc424899078356b3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f279364869e93b04f31e878cc34d018b

SHA1
2642aa80d7d2d93d0b3a4524a232ec12f1006fc6

SHA256
72886bdd4050f4f728204e89638ad0cfc66b0f5cae27b7c2607d2ce70c1d6328

SHA512
cc90f59b1b4daa9a1bfe7e243e201c51f16442b06f2a27ffcf301c79edd5d2da69d52fa751ec70f11a0c78d26e556f7e205d070af5fd6dfffc424899078356b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
31e79db836f269934aae7b9e98f1e0e0

SHA1
d3a3616e8562e7040b13f324d5655595d13fb310

SHA256
fdbaafe71833a5083017023831e947a8e024a5626488eacbcb3f3c677936c7ef

SHA512
619c52aacb4cc89cd1cca23c573c5c5f7d5f70ff1c6ffae6407dea98e07ff5d31beb3064ba8314e079d69e18d15129603222d6a3a4b937b6023a1b60ec4e57cd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
893282efd68adb11a07fffdee8c04265

SHA1
31b1e126998deb7a97edae2d3c459ed2c3051120

SHA256
1cec23bbc819315025106c679cd0de4e3b39226d6df18f9f929ceb5262ca044e

SHA512
37671c63dded56aeb7c06fca6cbfc70ca5f1ed51ac451ac2d112868f0f3ad6852d40a13c737142b56e2f09d179e9541679e9f4acec640b951250e8f1b7a1907a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6ae7d0e1fd3ae675a54153ab8e0a1c55

SHA1
154063eb4685c2e7c6a8a6da5608604965c66625

SHA256
275ff9422367f63cdfdf9f1ce796c705458d185b3dad6b6ffe52077493054abe

SHA512
0ee902d7ad6d5080a9639ec57c0bf7986f4caeabcbbfd6e70cde45432e3dc31c33af5ffcc425d166027afc32f821f87a63c7159a3450b9065eaca61b46fd7459

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2debe22845e64c06749c80a8d00f77c9

SHA1
4e3627ab807cb803cfb6c422212f162f6fe89f9f

SHA256
766fd0aa41fc33abd158b0e748778780765cdfeb43bdc51c28e8d500e1af86f9

SHA512
d365a358e1abf1dfff2f98462bbcf6accd171111cc1d68ac6189db91afb75336cafb6e149d3f40b06c725d640052c21e2fc21903ec8ab0219cfa8aae4bfbc637

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1837643f01c30beb840feedb003d0f19

SHA1
698a6a44ab265eff32f400f5255371c71ede7ff4

SHA256
563d17ba6f52e2fdd303aed60f3ecae06aff3aebb910be67b14d373fb0518332

SHA512
5e2d80178696871ac21ffa54f0c77356cf4df26233e1cd2c3b736b5828588698102cc57abdc88273cc953a7f4fbc210d41c2706d956edb930bc341f5d23e3789

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1aaca7a2fc16ce754cc1a1fe62ad03ac

SHA1
e0859fd5d38bee7a31676354e4732fad202a06f8

SHA256
527a4c4578042d41368d9160b785f80524eec154e3ab52044b1260d3f28ff6c3

SHA512
cd968a7240faeadbb03a9e1c117753987976a5db644460fefe7547eef95ddb21732c996806b7753ef643fea9852694748f3709825d7b3208e065e171bbbedd1a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d86b429835ffe0c721ab24fd21025b6f

SHA1
b862d3ff5e1e0f0a6dfec3c163361a3b8335e979

SHA256
40ad743325aba384374e2c19f8dca7478d61f3e4956f72c66fa1a5c6c5691928

SHA512
a80ec80d43fe0219a05eecb9f67099b7cf6d0cbee008d618268c71ce43c301eec3f272ec1702adb2ca80cd5c2f7e067c92d9395bdab8457a1b9222e204efb6ce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cfa90b7246ffab6e1d6656933b1747b1

SHA1
94fd6fdbef313a80058b5ee5622ee4af94a71f52

SHA256
60cddd18d250571a59d178fe23b6c6077b3d6f83282b7f31e674ef4f338e4276

SHA512
224340e84c743693995bf85391957e4339705736b45c6d5b98eecde0c344861ce25575ce3d55a44b60e404b8438fadf621236f068fe44bb3eed250c99decc723

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d6db03f3a934a91e45a42d7f14c8907e

SHA1
6617a612ebc0d66b9525b0e8f29c7d93a5b80fe5

SHA256
07f00d65238cc3e09e705bc7eefe33ae81a9dd15f9a673d0171713b09e2340f8

SHA512
22efd46e0af43cdb39d3c89cdeee6bb0c609085b93e1af7ba98e7519e406b3b58c39b86c28ca383c1c66ffb75f910558e7d9ffc4105d9c74b7959ae52fcef55d

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.3MB

MD5
0d03ecd9441b3cc26e8f586cd880b000

SHA1
7c3c3b7f574fb86e18a606276d0483b672a4405d

SHA256
b55d31e75afc8af6b972e93970825f40df4fb796ab8bd832d20a1f65250342b3

SHA512
48d91f47ead121a6e2429d647f099389e08b585681d210362a711d5078da8442ff1ade28eb336c2a44a5852f34e9889bb587a79378ad49b7bc37e1a8387e22dc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f96d2255427844e9cf836ce53d04db3e

SHA1
37d575ea730be0579785d204f5d980f347e0349c

SHA256
93fb52f8897bc9051eabb0c4cbfe57c1769e1ab85104fb47917206c8e651a0e1

SHA512
09967623e2245050fc4fa098e1cc2d9660f1b278c04ad63ec21be1f4ac12fa2c752611c2514078649d81408db9062dfc882e3ac5b994d7fdfd1bbfaa1dad08c2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.3MB

MD5
fa71b9be6a05da3313a936c342770a01

SHA1
17616f90e95c5652b8b969d55fc7b813826c8d49

SHA256
38789f1eeb587c32abc52a607473acb468f6ef79a3ce683826551c1680aceb2b

SHA512
f3468bec370ead4aab858dc2e86695fbc1377beb92352585e9d1a194816be95817f808d70a08c4f9832584471318aa68299ba6fe8fa699cea2b153db987da6e1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
4f4358a0d053aac8287395c8ecf795e8

SHA1
5d965b2b7e286336ccf16cfeee2132848b5267b0

SHA256
eff2d868edf93f157d70cec2d65f93e92b3795b841ba8395782e2018b5e33e8e

SHA512
2b34dc272f728f60100ef0ac91cf4e42ef2b813bfc73e1a392bba12fc1a8dcd3836ac36cdd11e8b6d68673a3f3207d1b7bc0ed26f8a5de3e891e13c74accbe1d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
1b6b348bec427f046377bf15f8c2023a

SHA1
f46459d11ce29969a19d4a4ac997e0228ad63b6b

SHA256
dc3a202d0809260298d5dcb60b6f7b99ef51dd4971efacb67de8b8bb231c2b1a

SHA512
636a8b75ef92bbc82e0c25378b334f351652aa4d8f6785e2483d9c7b21b6ac9df7302235f10f7691250ca2758a1edc63082e9b57f9fa4ff987e1005071f4a98b

Download Submit
C:\odt\office2016setup.exe

Filesize
1.3MB

MD5
969bafdcee7f4b39dc75a440ad9c6cd0

SHA1
fc9f5a53102b1ab6bab4fe0a4f19e9fcfeaf5a19

SHA256
8e7b0635f324b85d6b3b43b3d549a151372e271b0f1e92a84d2c4bd18c4fee6b

SHA512
500bd3576378b5ac2bbc6dbf7ed282d00264f15bd326ceb7e97b85923f10985d36e349d76d025d8a92fd3d842e7b4e5f14862add585d1ee7f6f346e4f66fe757

Download Submit
memory/1400-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1548-561-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2120-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2172-707-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-753-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-766-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-659-0x000001E98A4C0000-0x000001E98A4D0000-memory.dmp

Filesize
64KB

Download
memory/2172-750-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-658-0x000001E98A4C0000-0x000001E98A4D0000-memory.dmp

Filesize
64KB

Download
memory/2172-661-0x000001E98A4C0000-0x000001E98A4D0000-memory.dmp

Filesize
64KB

Download
memory/2172-725-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-754-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-656-0x000001E98A490000-0x000001E98A4A0000-memory.dmp

Filesize
64KB

Download
memory/2172-657-0x000001E98A4A0000-0x000001E98A4A1000-memory.dmp

Filesize
4KB

Download
memory/2172-726-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-749-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-751-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-705-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-660-0x000001E98A4C0000-0x000001E98A4D0000-memory.dmp

Filesize
64KB

Download
memory/2172-706-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-752-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-724-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2172-765-0x000001E98BAE0000-0x000001E98BAF0000-memory.dmp

Filesize
64KB

Download
memory/2264-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2304-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2304-577-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2376-149-0x0000000003330000-0x0000000003396000-memory.dmp

Filesize
408KB

Download
memory/2376-158-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2376-144-0x0000000003330000-0x0000000003396000-memory.dmp

Filesize
408KB

Download
memory/2376-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2376-402-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2376-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2484-498-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2484-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2484-198-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2484-192-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2948-314-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3288-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3288-655-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3424-182-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3424-181-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3424-188-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3424-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3424-200-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3476-164-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3476-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3476-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3476-404-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3620-351-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3620-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3776-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3776-216-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3776-497-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3776-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3792-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3792-604-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3820-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3916-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3916-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-180-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3932-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3932-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4040-662-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4040-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4092-202-0x0000000000FC0000-0x0000000001026000-memory.dmp

Filesize
408KB

Download
memory/4092-211-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/4180-259-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4224-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4224-229-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4224-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4224-220-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4224-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4344-137-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4344-134-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/4344-133-0x0000000000C10000-0x0000000000DBC000-memory.dmp

Filesize
1.7MB

Download
memory/4344-135-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4344-136-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/4344-139-0x0000000007970000-0x0000000007A0C000-memory.dmp

Filesize
624KB

Download
memory/4344-138-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4952-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5068-539-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5068-235-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5068-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download