blustealer | 52d4c9785ef46a412ea225c41757168d828d77058976963a9232ffa6bf0d9425

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1832	alg.exe
1808	DiagnosticsHub.StandardCollector.Service.exe
2820	fxssvc.exe
4500	elevation_service.exe
3496	elevation_service.exe
1700	maintenanceservice.exe
444	msdtc.exe
1200	OSE.EXE
2064	PerceptionSimulationService.exe
2740	perfhost.exe
1512	locator.exe
4528	SensorDataService.exe
2824	snmptrap.exe
2908	spectrum.exe
4860	ssh-agent.exe
3884	TieringEngineService.exe
2576	AgentService.exe
3492	vds.exe
4964	vssvc.exe
2156	wbengine.exe
1912	WmiApSrv.exe
4800	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\locator.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e85accdc94b1c77.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\vds.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\alg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4516 set thread context of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4524 set thread context of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d942ba77e79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4dd39a77e79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007188c6a77e79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cef873a67e79d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bfbfaa77e79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ced2d7a97e79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeAuditPrivilege	2820	fxssvc.exe
Token: SeRestorePrivilege	3884	TieringEngineService.exe
Token: SeManageVolumePrivilege	3884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2576	AgentService.exe
Token: SeBackupPrivilege	4964	vssvc.exe
Token: SeRestorePrivilege	4964	vssvc.exe
Token: SeAuditPrivilege	4964	vssvc.exe
Token: SeBackupPrivilege	2156	wbengine.exe
Token: SeRestorePrivilege	2156	wbengine.exe
Token: SeSecurityPrivilege	2156	wbengine.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeDebugPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4516 wrote to memory of 4524	4516	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	91
PID 4524 wrote to memory of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98
PID 4524 wrote to memory of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98
PID 4524 wrote to memory of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98
PID 4524 wrote to memory of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98
PID 4524 wrote to memory of 1144	4524	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	98
PID 4800 wrote to memory of 1264	4800	SearchIndexer.exe	119
PID 4800 wrote to memory of 1264	4800	SearchIndexer.exe	119
PID 4800 wrote to memory of 2348	4800	SearchIndexer.exe	120
PID 4800 wrote to memory of 2348	4800	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
"C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1144

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4152

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2493f78891c0a739da5711725ccd0b7e

SHA1
4eceb31a75a8f935fa2aacd5d7a13e5958da828b

SHA256
fa83bbfc45e245944ca5fa8044669068555c75258f5f36a4c9f80ef6b1568549

SHA512
0fb0dfd682ad2f2e326ce9cdef06056618c88b775140666ec3d8174dfdfc9f35750d5bb880c5ef4cfa30bb9056a8900da6bbbc333615c87547d1ff19b80c9d19

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7f23d66f2316e36bd70ab94aa09d13f6

SHA1
06afc3757c8b38eb9cbed1368bc2ddb026ff1bc4

SHA256
285d6982c6c6dab65236d427846b59d631b23a3dba83808858b1d4608e085f47

SHA512
556d591c4443316e1d579396cfc2529b3ac316b6dbbf5bc327135ba9efe993d59d1cbb7a87db6524f3b74c3c17bfee3f97da684bf0aaa193212a4ec405be81b7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7f23d66f2316e36bd70ab94aa09d13f6

SHA1
06afc3757c8b38eb9cbed1368bc2ddb026ff1bc4

SHA256
285d6982c6c6dab65236d427846b59d631b23a3dba83808858b1d4608e085f47

SHA512
556d591c4443316e1d579396cfc2529b3ac316b6dbbf5bc327135ba9efe993d59d1cbb7a87db6524f3b74c3c17bfee3f97da684bf0aaa193212a4ec405be81b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
86fec91507f8783a70a8326cfdad248b

SHA1
f704d251107e070a307e3d412462a1bcb1ab2847

SHA256
a60641ee9fe5a43c5b5a05e44c99cb5b142124a9f06f484504d147a2dfa238a9

SHA512
0349bec993c00f5ba59f8a9a258dcc3c173a910c4e64bf289f873492f32c5e6c11114fac93c7d908920b8cbf774a1cd1c95c803148aa5ba4b34def9037f8ae73

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
f45255f10024b8046a96f723c3ec7d0e

SHA1
66a16884481227d9fe7dbe95091c51c43906ccc8

SHA256
dadd199c59c66ad37a0f9fabed581c824d3a1db10cbc3a1f4094c8da68c031b2

SHA512
b027e82086116553efff39c5a66dc70130743d5c1b18b729b239617178f801c3d6dc2231e44e06859ed0ba9175a6020506adcac3ea97a122a8b3bd67a5c7f6e0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
dfd81a420aa3958751c5dcd87149ad3d

SHA1
373f3cd737d5b84a5da2b4edb5b795dc7a599a9d

SHA256
cd978f018f8540c2138739454634f3fb5917263690c52105d7a38917a2a32524

SHA512
e82e7e13b5582354a8293685a908c9507481e5c8d86ab759e40c99efccc9033e0196ebe2cf322aeba672eaf6a3c4dceb588a6c9b07c0257c3db7a886f5863ada

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
71079d390af6b33ed0817c41a1caeb30

SHA1
0e867ec7e9651f3a0c01d92f9cbfa713aea53ca6

SHA256
cd1f586efa61938484115aeca350fad935dbd64dfe2509cb22f45450c9074b1c

SHA512
9e95b5956400129f0a58ef37c0b55dcb15c375592bd9d70bdcdc42807ac77674cf3c911efc004fe2051bf528345da5af2af2cedd2c5349a9977b811df1d7fbe8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
209c56741a9a675e01b56291d05e0c30

SHA1
0f6917e9e408abc1af86401f2530447e5bfffddf

SHA256
251a806ef85ba60323a3f6eca7adf6575c1a7896bb0451113f277e3b190c50bd

SHA512
5ba1ca75b7e60c36bf5c8d7ddc2b119e839a9cc34f369cf1701178e76c1747abf267e692f3d72e5beca68015c60ac868e125db43746a7a7abfb0936948a78e64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.2MB

MD5
161f23c02efcedda9f512437fcb38484

SHA1
d55848a3ab3c97e2e60e8ba35a02ed2ec517c616

SHA256
3a5fc9f949cf861014e27d35c4dd65d724e8049c1eb95b4de7a7ee0424b47031

SHA512
d6ebeb2655199a7404f57e68522e953a5c9e23040bfd59886932eabb273f7938f8dca6be5af0bd45ae289b4513f7b3bb5b2ee055eb9bd2fb0be29204704bb7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
be5b8a55d17ca587e1dc130914aa91f5

SHA1
7126bc4550c3bf14df0ba1bcdecc298c70f343df

SHA256
63e816506125793b18f7883ca2f1a798973d5b832b08f8caf5688d609c9b15a4

SHA512
9bbc3e211990bbba977dae3c869ff15fd3d59856591ba86714d33f00081d7cf90dd2e05f085b81cf40b560c7049edae601f29ba37b8f235e14721f6472fd372e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
4.4MB

MD5
ead4ac9e81b35f4c1000ec27c064c0e9

SHA1
4934b1e735445568ef9c8739e3ee291a94537604

SHA256
99065620c80376ff67bdd8e752b9b157a70bb3067595d7bcc6fa2d4203c3b898

SHA512
9d9ffaeaeac131f86d643ff5dc948d039eed9fd8f3c86331b4c1113eb7220bb68e131b9025ba31c0712178bb2bf4c7428c2a1ca2fcdcbb1ede73dc3460fb0d50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9c7cf683f28379af7e9085901317d58b

SHA1
3c08940ebd4f573041f85ace90992b564cac0923

SHA256
4116fec0a93d15b4dda4a20378a72d308a47aff2e2166e13ef781cbedaebe04a

SHA512
6e9619edd28cff5fdc291de0f000a8f9ce5324b0f655f1d12867a983a371fc1412e412b802aa2c590bb979c94baa86eb206a12f9f17349b6356f4cd9338bbc8f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2e470e5cdab9862935f9ff6f69607cef

SHA1
aa06d3a182eb59b74e7d2127c579ca52b0040987

SHA256
85f92ee3bf1e5132c4efff9f0279e8fc96405a0b16db4cc1bf5620638d024ce8

SHA512
fffa12c80d003e2aac9d7075dcfe1ea5dd8eb858e630e48caaf0dbd379f8072c3249d913903d9865dbdecff130065e2344e9a944a99eaae88f6edf8e2aa50a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9bd1c9b0831c6df94997ff19922d0d9c

SHA1
c978bd656233b8623eb6dc9671b82f236a4a824a

SHA256
9b5c7d461b4506cf89f2a4fdabcf4572fa90d321776ce431c493b6482a561afa

SHA512
5d571313034e6608ff303bd0d5dbd103daa48584ec4eed6d3277d63c520f5439acdc9261da708d66a15ef33f3a3b248d12e67007e92ed1d330808439f5b7610b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
32bac11a3ed041b50ce250cb7e0d2a00

SHA1
4bd5b7243b852aced16727ef23f7b4f82f74c662

SHA256
bbb2b80848a1b66e6bf6cda585923a159c095a728f5d8c1a92f0fbc98c8fb96a

SHA512
178ccd448bd45e7c8429e5fd0c3616ec502fae998ca3df27c29aa9193189605c17ccc9507d5c1a2405f30d33f3bf9ee784780ed3cb5fcbcd7791f83fa641266e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.6MB

MD5
aea4aa8fd79965e6bc9748d4dad0cfad

SHA1
c4e4c15da1051d151d26331179635ba09d96f1f2

SHA256
8ca36dcd483204ea3696bb6aa47510e11d911ca1b3732c8b2cb9324d47b5ec26

SHA512
520bfc4c5f4118fbfbb0bdf89ff9d940ecd82ea30a9f387d6ce7c29233eab02a8b0f71e9aef4319911b7004190c5aa41f232c3ebc1cddbfaef7b4cca5bb29eb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.4MB

MD5
26cdd49ce29956529c3ccbb37d42e930

SHA1
564f81e0f5b4d57ab368e7b7ea8589b8b08658a1

SHA256
7574e81c5d0c0fac10e96398f434573b7c5a963f9c07319ad177953524afa01b

SHA512
fc5a637f6eadba131b1d0e65f6e8b90e6ced2cbcd5e005eb1b6e73d10018d2159fe61b591733c6239edd35588ed0088426a06bff1a2504f13affc8c9b1889f98

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
bf926cf2a502876e7075d1fa9570415a

SHA1
c0c56ee3a48d602cebcde68b715cb2a9783b115e

SHA256
3bb6df046f06704a51a02ae974bb4e086c80972de02f2204c516eaa75147ea0b

SHA512
7c6872b902c526cbba0b83c17a2f263e0be6cf7dd6d1d7f6b403a959ad3b5ac7a40e034bf5cfe335b660176fa3da6bcac40872ff5745012bc2136471aacfa87f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0de2ab21762032ba0724add65a144529

SHA1
cc0dfd4a3d78a1210b35e728b76e2ee6c4b592cf

SHA256
a2c47daaf1a41679331bb85a7f8a2d2fefdccd085cfd6dde1a3724b5fdcf0df8

SHA512
86cc41834292028b7fb696fb15f80e44b48c7a268db09cde07f3891c47a25ea06b584a2b27fa6c329d053679845072c6b1eeb7fba21cdeac21050b846b65f992

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
2fcfe410748ad7f1011d7d21c80a1393

SHA1
2e2097c5ab3508727b6cf7b6c574648a66ebabed

SHA256
d60caab5aea1597db676c59575b0a772eda8976c8d65230decce7a01915c0ed8

SHA512
c4e3672093ed99ce45dba30aeca7e0db94aa96bc3782f09b618ce389252def02bd99019e280d461e6f5dd817f31a79398cc9fc90c831d827d8627b629038215e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c7d010e4e1b04dff02c94d9961ce8993

SHA1
0172d8683c6e535901177a2cfc3e84aeb5a80207

SHA256
fbfbb59bdaee07dd8dd6907c584fa6c38d06026873bacb1874cb28a68fd0bd58

SHA512
840e3f2e24f80f945ae785476d66195e07488640f65b7bf18297fd06a56ecbb042b0ce7fca7ca2ccba1a0e965495c70aa06c87fb23351b5ce750cfd613c45de9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
e16b865bdbe60149ab4efa5ab9893e51

SHA1
0b706c3e0a9a8a40659fed3e5b3fdcaf3ba0b2e1

SHA256
111dab84ef72739e286149d5a6887356c9e6cb62b7d9143b726878a2d80f497c

SHA512
46a91827a8c25a276a04ddf5b97f185ee2e58896d070be4f07be2625be053f3f63fd5d72dd2dbe50b879e3addbd13a28b1b4218e58b11623d3b315f786a0db9b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
6a8d50243879b8ef5e2ab1b45ca504b4

SHA1
f4059d2619a1e2634b5c69a8d2b4f0ee727e6ce8

SHA256
677bebe60667022ee53d77894242c79d99822193176644ee0f98ac0cca2b6408

SHA512
37f0ec8ae0e3bccce27b0c5c7e88c678f2eca3733440ef3d8be4dfaec349fe0b38138e00386e78130afba1e03837ba027e718afb003288ecd97df309579ebccc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
8af527be70b772259f756384778a73cc

SHA1
28ec4089b085dc2cae1c5034841bfe92ca9ba7da

SHA256
10a76ce6391f172f818e50b1f72c315f91beb75b9de475586e63f6989d8fb917

SHA512
3ad75e3d59b53652e36d3724b35baa714be844d142a583d82950ac9470896b94c1ead8886d5a10cff1c6c845a250545c829f1b098484727a76e24155ed740e20

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
3d6a815a6c899c4e9ec17d932c7738cb

SHA1
21cb165bd18666c8dcf2ccc27e431a35a3c18b52

SHA256
ff34d667c25738de157aad252a304c792906238104e0afa6f1a53bc7083458b6

SHA512
27deb5fab57da4d806ba059e576354bba9723392d87b3539cede5f08f4da2b9c26dcbf8f4159a23643211eb2b5169f4eb94aa1b3472e7dcd12394e3faba5fc7b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
a8d90972c354d19f53d128631aeee9d4

SHA1
3e61d59930c246275a8b1798a1cd74de6b707073

SHA256
4cc869eb69e03b1b710e6dd7851340d70547da4afc53bd5f37079c360115738f

SHA512
ebc8ecc2fbfe94304ceebb591721829037a0a747b49bad1f6542e52f97b058afdcf341682ec5d0308360b41b4549cf91e6fe2805db1b8b4b68782586e8819e5f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
d49cd362dc5b4e37e73b9d006f1c68ae

SHA1
309c7287b741fe3c9273abd7034d6a28b07b5a9e

SHA256
3107894b78f61f0e655df59c3a46998beb87be74d0f0f0e441b77b3f9770044a

SHA512
a8035bf43ab07ed97a7394a9eb078894824100fe7277b2de02bc0d8e2b81e2c7155ea002dc48fd4451c73e42c3550f76ec3210ac566b0adf3da446b3f2fcb37c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
10ec9e0f9ae856334b16544d260a28a9

SHA1
ad8d35944ba64de0339e9c67743ccd4c3158db59

SHA256
d7deac24d59488b85274330ced9e555ae139878ac2a95e58ce0c9f187b212e0f

SHA512
2610d5c01420532f173599d8d27d13f930603edde0fc30c5c9402da515ae42e8c17baf5be27d5ed2d931ff9e3a3b8e958a0ffbddcf5f1f2356de692512c83ec2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
5040626c725273fc3b16e0e867e6f240

SHA1
2401edac8a92aa350b43c6383f652e1cbb001488

SHA256
90d1daaac69e1b5056f5c2957b113ef3e03e3e23479f08f86981a1e65cb14f02

SHA512
7a93357c9f141072ad60ef800f5f2b48edb888f8bd271a32642e9147d3afc09ce203b911ccdbb53f840be23b9733c568f7f68f4ba370f7f4cdf25f2203d24330

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
b38698db341d7b9dcd0dac433db21eaa

SHA1
8912cbbd6d56db5ef515a3dd2e24bd49a54ba4fa

SHA256
5a17d7254dc0db07958ce390889afde8369679025259653e2c95df3609f15d5e

SHA512
05c5d6d925f500f2332bb8c2c97eff1942d43727ccbb83774d7007115263ffc40d10c076c56f4e24b234179e48522dbd9d73cdf6db5ad967f19f7111edeeabc9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
2f8a5815535691798cdcdade92a900d7

SHA1
9769d9929a8fc6a583af5922b65c880c1ec6b043

SHA256
a1808b417e7fbdadc50472c1b1dd198378c3a65b0627d18ccc058c9e1c6fb289

SHA512
0ac5e12713fd03296c1884c36af7f1ad5b7cf4300d6e11172a7ef85ba0fddb1b94276f68f956675762b179238cff4754cc690908ccfb0d89087aa7b07219d32b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1ec7d067f18cc8f8421bf653be12c5e6

SHA1
9f84300aa209b4afee644deaabdf9726c14bd059

SHA256
52cb19a5f15af30507a170d32daa80db798440231e6c538011c267d7fe29c240

SHA512
e3b720916cf2ef1b734d57ebbfbcfbc76d3c240e354aadf8d52abffdcf6a010399eb6e40a92f7a833172517accd6b6a542981acac90f34a71a8bfd93059d7740

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
e0f8c0ba3f825057302c3f4a78455a84

SHA1
86873b3a08a61667031285ab0105e94983e8449f

SHA256
01c94b66daff0c089d14aa107bde1f008ea6e95dbdd35a855f3db50b3bfacfb8

SHA512
689f479810b487638a4d6e51995c2f6f3c5ede54c8252aca2775a6f17e804e0e1d88bb4f0adc6d2a6f85f6540929d1e875664d4d4a1c1515137495bc651f5b90

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
da4d7c218dd28e5751a516fe96fbad4f

SHA1
7ccfa350d1f3b0bcabccd8aed00797358214aa09

SHA256
388cf5ecfe404bb235d129f761df4e89a39afa39ba5b917c0a06d230cb64f793

SHA512
3c7d5d11ffa4589fdc181e915ac65b5db0aea5126ca8037596e80ae7a7c5859d1984db945a2c959f8cf590d9c626d57e1928bce8f538f43b634cb37888e9d97b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
af61b5c902864c6eaabaf4fcf1f335b3

SHA1
8d493a93441752028e2cfa34970f4cda7ceb6d52

SHA256
5a67778579b45bdad510a9e02eaf96475c7f0014297b90af60220c47c750c81f

SHA512
28823e36740b9ddb98e654acf76a4e584c05c364f189e9233784e7da32a8aa6d0f8863cfcdd49691b4b9bd109cc2fbfd395284ac6899bb7243189066e11577af

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
b585ee1aca737905db025ae2fa3924a7

SHA1
5b94afbe8f80b7032943d286fbf236b2a64d2d81

SHA256
fbbc8e78e086fdad26fcf7705cd20455d2919daa6971e36ff5e75419a007ae7c

SHA512
eec13a9dcf8e996697f40d04d622c5faaad58cd840e816995e54c3a703e332977893f32f7a7ebdadeb809a95ff4db54435a150c00ce3a0a0a837925277928a7f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
4999cb09258d3b4a2dc11582fc7efa1a

SHA1
fd354f205115c7e337e19d4185a47947f1f198d9

SHA256
cc984a481346c815ac9bb95aa03b72c3a42ce6efa18882902ed039a192a6ebaf

SHA512
3ca133bfe306a2a6ad93f27924d104c9c3849c2fc693650a2930a6e13da15eb812b168fdab58f2c93ebe906572ca8dafc178e01cc93ae7739ffc3f608a838409

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
940cc46d1da093cd38e17bc38d46b3fe

SHA1
6fcda92653ae005c8394a3cea8cd67818d642e4e

SHA256
5e03ea693a4006640b5e2d0b8e6fdb542b5610ba861ee32f22bdf71c44c175b6

SHA512
095ba9302c8055f75a43df72c334b4fb2e40443a46370e90cd41c3fb12446c1f08c27b370a8de72ed9789207d3d11381fcc4372d58ce3cab7c0002032b2f2959

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1e5c1c1be511c79b204c47f2afe2f2b2

SHA1
e0f7bbf6be8f798e7928bbb5db6a29c0aa5b8679

SHA256
6a08a3e2b309ea941a0826a974055a9015a9a14adeccbfbda8c3d475abffe054

SHA512
02d0c1f2d8f92e4ff72179b312a9ba35ba1569b3a9bea9fa9cf21f641baf7fea034996b31b13286468cdba1b7bafdbaad61321b68cfcc5ba57ff35963d7f4734

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de2563db201a2c5ac174c0dd51675c76

SHA1
f4c283be7fd2fde7de334a0758120c309196d1c7

SHA256
054178b47fd77c01f86cf7230afdb155289718b3bf66fc6fef6b8388b9fd055e

SHA512
816070e0b96dd2abaf46095f73738002e4efc13e111afab153a7613b5f9b839490ae8b2889dedb90e586330a27cf50885327194203d44ef48893b9881def4271

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
06813c1d0ab8ec83ca8b022216008bd3

SHA1
4ba5fbb9a8c762c8a163be338b3aa5e4063528cc

SHA256
962dd6245dc742c232c6a201b8cbc55a707768449a2dc567c17ba6a7058480df

SHA512
4f87053188cdf31dbf832de958ff1eba01d59d0c847e6d3bdf8e1573304fed58711fdf7218aaac29675cb3d0b09997ab63e9ad885831826d84c58a8f91980cc7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e512c31fbf4f4023c980b3498248d1df

SHA1
11f397c3062063617011d15a2a9485b057b4fa6a

SHA256
28161cabff2be24916095210ccdaffb49e8344a0a1ccbd38960379ece6e76d5a

SHA512
429cdea7dc9b1b300aed2cd4df39722ef1b1007477f0e1853948a021dcc0bb8b0ebfc3efe37f189a19b8622ffd7e6982c63bf1ce1256ae749d528370b311ab96

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c52f4e87e2595727c86e1cd1d422cc5f

SHA1
0eb3f262ba788303133d54f164e0c8f90e2e29af

SHA256
416b7c8a61d8cca9840643a6824d473b9035f2acecef21a15349eaf2d50e2a1e

SHA512
b146cf530d2df4efe74a19608cba0729cad2c238b879ba145271ed278c89a1c180698deb888be5a9b7f481ded6f9a74e18ea117b7373f9e48e3dc78ee7111f4e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
9b8add2b780a2b222ea0e2d362f844c5

SHA1
bf2a9949d937d96941a7aee8225fab459a50cf98

SHA256
fc129b44be4c71d8e8ce8d81ec51541b3cf279f765bbf1060df776ac91161fab

SHA512
192b659fb53dee63e7ef11c2fdaffe8db7c427ff8b265a48d01aa07e4c932386bea5f537d88674d8d7aa5b74046fd5393307ad0babb79d860f4d3f02addc7584

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
9b8add2b780a2b222ea0e2d362f844c5

SHA1
bf2a9949d937d96941a7aee8225fab459a50cf98

SHA256
fc129b44be4c71d8e8ce8d81ec51541b3cf279f765bbf1060df776ac91161fab

SHA512
192b659fb53dee63e7ef11c2fdaffe8db7c427ff8b265a48d01aa07e4c932386bea5f537d88674d8d7aa5b74046fd5393307ad0babb79d860f4d3f02addc7584

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7faf120485a2e78343f32c582704aac2

SHA1
45fff76df9cf10ae13926fe274b6d7b3dd11dfd7

SHA256
7396ccf083c7126c18c56798917a9c5070b437458f213ab5696378bd9e41553d

SHA512
bc30374735e3fecc2ba2e01067a70248f3ab1f9f3f9f57562837fb9f7f710e8a69b350473018b4540feb170d47fa5bf678595bf1f67a45704b7903d9cd7135aa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0e52191075aa445e044b0d39f0814e36

SHA1
f6383c72fd3ca95a9400d4bb66b1af6f8c57c5c8

SHA256
4c46cc598034c0684bdec77ada9da76cc14b493ad03d76e2d925b000776bccbb

SHA512
031d8c8de22b0e07dc5202851c56cefb2d749e193d656d3fd995db9d53a45a787495b02dc3b89d1fff9a1de0bfe352246465b85217bd446918a555a889f619d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7f0c943f6e0974bdb65b665d5b6c144b

SHA1
3e7e63a84e283c828ba3fa8d852afb0e33d54d69

SHA256
360ce80837d79e6de5b1befb45e22a3e2b3d0a0d8ccda3b7ddec0becd242e9fa

SHA512
e047296aa055d3cdbf2e511922989ea4f6c0516345e7f63dba780d36bfa9de6bb18e3e16cb97f7b71e2b688bf2fc6830c8281ff96204890db293ba3f1621090e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7f0c943f6e0974bdb65b665d5b6c144b

SHA1
3e7e63a84e283c828ba3fa8d852afb0e33d54d69

SHA256
360ce80837d79e6de5b1befb45e22a3e2b3d0a0d8ccda3b7ddec0becd242e9fa

SHA512
e047296aa055d3cdbf2e511922989ea4f6c0516345e7f63dba780d36bfa9de6bb18e3e16cb97f7b71e2b688bf2fc6830c8281ff96204890db293ba3f1621090e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
97a1a4a9baa202c1435e9a4e5539fbbe

SHA1
36b5eba82c6f3218b28042014e19e837e50b7648

SHA256
d9ae24a96caa98ff9126ca36c5f2e2ed549eab95f2bc6128c8dcb171bb104091

SHA512
335853a63afefcbae12e2ca9b5b9d120cce40aaeb8229043bbbfff867a3e4cb63a343bafb22f0f95f53f61106dcdeccadecea56804467bf418a77afdda639006

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
64f963cae1f69c0240676d6c96be04be

SHA1
174749c2a3912ac7d350b7fc13eeebdd14504b7a

SHA256
cb80a78364ceb1d6f9c96313703909067d261ca9164542383e94289f046f64ae

SHA512
3e89744f1d65f08e425729a740074bc611dee049f609e9755128df0d6f9c8f232a527ad8b8d15916dcb7bbe6fdf78633d7e29dfc53ddab185a24b991146e7579

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f54de6517055ed410280816615e43f33

SHA1
1c256c4e42ff773f67e4e600ec6aeb2a70cf6dda

SHA256
e63717d469e276c0d3df7cbaf8aa8ae1b61a2febe1e37c4ee2454ef9f853bac0

SHA512
0ea6e7300c51d7ca223d2773b5ea1be6cd9200669416454038f81fda0e602fcef38dc96f4c4029db23e36149c71d1d5ccefcc9847d540efd30188690cbcb5118

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f182029da052b689d0b847fb5c25ba7f

SHA1
4aa6836e27a16585bfaf7da5d52aa039b62267d0

SHA256
dc92a49876c525207d113eefa08a33066a2ec6e7aee0d5d5d2055ec0a6576dc9

SHA512
81036e2d213c7dfeced75ced7a543a56caa25625d57609e11782d1fde1332362ec3e07ff1c245b44e5e97f65431d67413d53bfacf79ed9607c94e3437fcd1ca4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6feedb3cf1821b663e45b4eb5358dc75

SHA1
f88feb4fa49d5abd2a34ae0c6e08b69d0cd0031b

SHA256
0de0ebaff8033d57cfe4137f8a933571967f0cd33af2666bacb74923fd58baa7

SHA512
d40bd8ddabea9c6c3df396ddfe42251b0774e95ad0c8a1fcf072f2b7c8f4094c1fd1a92a8a5917f0c1886bd070fd46cc29a4dfaa1e8c63efe945a70777dc4822

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7764b5d64153906868ed2b53f2e1cb49

SHA1
adfaf975cad40dde0fe348f8f5148601c739475c

SHA256
d789f94dd487550947ba890e179e53a9ab39b11f0ab9ca5033fb459d7173737c

SHA512
c9e1c796910735c0bee4a6037ac806570e445a328d2da7d7bddaa50794ea1a8e170b8c7dbe8b92de24978343bf8f03ec8bbb5c027ffd106b0c405bfaecd8aacf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6f6eac60704f19d0e78bedacdb46136e

SHA1
779e5b1d8f6de5f6c0eafbb0bee90bc738f6facd

SHA256
caeab5e4820461cc99e776d43c8dafa664d8032125bcb40d744dde6b274102db

SHA512
f8996c32f7954d50e63154d582a0bd83689748d1b563ebbeef5c781cdcff99f3f485bd0586e786243f27123cb83b9eb930473321bf362d63445dea9c77048c42

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7f1814e8c2d4dee1054e9d807fc73451

SHA1
83c4a78c1f48cd81f7b648e128e2b4c48736cc16

SHA256
88a4a1f24f42271a25928af404f534943f88beddfefe0f7420ee34cc62e7edb0

SHA512
eebdb9a71accb3fe554c7d1220cb7dfb57a28f69609ed6c23725edf909cebd87084c9a3120a0b7e20d5bc7b4357171b606902194119c96fea29a5ec22e25305e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a8a55e2cc185558580c01ff36b695e96

SHA1
39ed68ffde5c91dd7dfd96305ff94adf23c1bddc

SHA256
82c6f214337d37dd899dce893875de2a8c7c787d2a32754be2bc8352d65b8147

SHA512
6d7fce85bad002272517095cf708b99924aa177253fa1cee3f7f19c34f9a9bbccd3c94c5ffb80558bd5742ea350ee59eb83195dc58472e7f4ff1ebfdce43bd0a

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
de2563db201a2c5ac174c0dd51675c76

SHA1
f4c283be7fd2fde7de334a0758120c309196d1c7

SHA256
054178b47fd77c01f86cf7230afdb155289718b3bf66fc6fef6b8388b9fd055e

SHA512
816070e0b96dd2abaf46095f73738002e4efc13e111afab153a7613b5f9b839490ae8b2889dedb90e586330a27cf50885327194203d44ef48893b9881def4271

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3ca2dc60da39136123e032495d169b65

SHA1
09bbe620e4d673bd8d2cc072724cf04bafd06198

SHA256
92eff8a1135cd61bde9a8c5ec7f43eb2b987d59c9004790f030c1e92f69fdc27

SHA512
20779ba82a0bad666361ac1f189ad66bab21aff5a1fe309bb93d2824225b874a5eb4d7d8391785b52d4955b20d7fc83879b6288a6b71af2ec1cdf34496f6e94f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
71ebebcd0e9dbf4ed0539ac6eab9b607

SHA1
96dc38db6f29d8c67a76097a08cb06b15bfcaf25

SHA256
6a911324bbaf748725bf670d5a3b794248c6f6d835998099fb5f26d4d07d27ae

SHA512
ea44b1bab4f8a540f2b74e9be96e5c6095fdb156e3a19d473378b86695f30101efd96fb659e88b3ceefa7805dc048041bf5ae3d7e697ed270f91f57beb63e4c8

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e512c31fbf4f4023c980b3498248d1df

SHA1
11f397c3062063617011d15a2a9485b057b4fa6a

SHA256
28161cabff2be24916095210ccdaffb49e8344a0a1ccbd38960379ece6e76d5a

SHA512
429cdea7dc9b1b300aed2cd4df39722ef1b1007477f0e1853948a021dcc0bb8b0ebfc3efe37f189a19b8622ffd7e6982c63bf1ce1256ae749d528370b311ab96

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6679f9f405ead2181a2fa69683adeb36

SHA1
a7659c0449e6da35479df0a73b039ca2089fb0c6

SHA256
7a4f5f1b5ce5f2bfafcc480a31210ff06051f251d112769717210ab0b1c8637e

SHA512
ea9676d3f797ad075a8e5bc2fdd0c52fd7aa27b9c2b0133488e283880dff8c4a1eac153235efa280726df9929301b644a28fa9f4bbba6f8048e729eb48254b9b

Download Submit
C:\odt\office2016setup.exe

Filesize
4.7MB

MD5
1ec434217ac7c2f2dca26ca78adf3b24

SHA1
7c0a15880b81b673a7467703f4145779c8c60cb7

SHA256
1a3fdaddec812f8ef95681c83e9710fb7737aee567fef95a09ca5a1affd2178c

SHA512
ac464f411f71fb435fed240f0bf9ba02b41f2e94b3acd57cf4d08c14d6969a05ecb9392e1023ee84d0e40a11e9edb02bbb08c76034f6afda5fae459f8ea7097e

Download Submit
memory/444-233-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/444-539-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/444-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1144-209-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/1200-266-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1512-300-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1700-226-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1700-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1700-223-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1700-216-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1808-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1808-169-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1808-175-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1832-163-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1832-178-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1832-157-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1912-403-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1912-605-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2064-267-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2156-402-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2348-668-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-706-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-664-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-665-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-667-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-661-0x00000225D3470000-0x00000225D3480000-memory.dmp

Filesize
64KB

Download
memory/2348-669-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-686-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-688-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-687-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-705-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-662-0x00000225D3480000-0x00000225D3490000-memory.dmp

Filesize
64KB

Download
memory/2348-707-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-710-0x00000225D3480000-0x00000225D3490000-memory.dmp

Filesize
64KB

Download
memory/2348-711-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-712-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-713-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-714-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-715-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-716-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-717-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-718-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2348-719-0x00000225D3490000-0x00000225D34A0000-memory.dmp

Filesize
64KB

Download
memory/2576-355-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2576-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2740-297-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2820-514-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2820-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2820-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2820-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2820-199-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2824-323-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2908-588-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2908-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3492-375-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3496-537-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3496-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3496-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3496-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3884-354-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4500-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4500-516-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4500-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4500-197-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4516-136-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/4516-135-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/4516-139-0x0000000007710000-0x00000000077AC000-memory.dmp

Filesize
624KB

Download
memory/4516-137-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4516-133-0x0000000000950000-0x0000000000AE6000-memory.dmp

Filesize
1.6MB

Download
memory/4516-138-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4516-134-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4524-149-0x00000000029F0000-0x0000000002A56000-memory.dmp

Filesize
408KB

Download
memory/4524-440-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4524-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4524-144-0x00000000029F0000-0x0000000002A56000-memory.dmp

Filesize
408KB

Download
memory/4524-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4524-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4528-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-352-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4964-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4964-372-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download