blustealer | 66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2023 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfkfb5hd_.exe
Size

1.4MB
MD5

348bfc0c42d7254bc63e482c4173fea8
SHA1

ef6a18df4c2d04c6c194c5cd959e714114a402ab
SHA256

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8
SHA512

ebabb70e503b8631210ce53d89c03275b190823e85fb1591216022c575b271cb981b2c93f63989b0179bfa6fbd807c11d1cafd43d335d2010d35b9ae9f21be43
SSDEEP

24576:+3y9ZjI1Uw2ojP1WQ4C8KJ/Ixl2KVpLNzwOKb3uR/kCrVKoNZXgUFqssP:B9Z0xWQTJ/uAWp53R/k+VdQW6

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
2060	alg.exe
3388	DiagnosticsHub.StandardCollector.Service.exe
3584	fxssvc.exe
3312	elevation_service.exe
3020	elevation_service.exe
3188	maintenanceservice.exe
4564	msdtc.exe
1756	OSE.EXE
780	PerceptionSimulationService.exe
4880	perfhost.exe
5092	locator.exe
4588	SensorDataService.exe
1840	snmptrap.exe
2372	spectrum.exe
4792	ssh-agent.exe
1884	TieringEngineService.exe
4988	AgentService.exe
4612	vds.exe
2668	vssvc.exe
3460	wbengine.exe
2376	WmiApSrv.exe
4928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\locator.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\90d7764bc4600f4c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpfkfb5hd_.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3084 set thread context of 3760	3084	tmpfkfb5hd_.exe	85
PID 3760 set thread context of 4684	3760	tmpfkfb5hd_.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	tmpfkfb5hd_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	tmpfkfb5hd_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpfkfb5hd_.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000616e2ffbee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000096143f2ee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046d412fbee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002846edfcee79d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c581ffdee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037d131fbee79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034751bf4ee79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089b2cdfaee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000491d21f3ee79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2cfb8f4ee79d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	83	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3084	tmpfkfb5hd_.exe
3084	tmpfkfb5hd_.exe
3084	tmpfkfb5hd_.exe
3084	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe
3760	tmpfkfb5hd_.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	tmpfkfb5hd_.exe
Token: SeTakeOwnershipPrivilege	3760	tmpfkfb5hd_.exe
Token: SeAuditPrivilege	3584	fxssvc.exe
Token: SeRestorePrivilege	1884	TieringEngineService.exe
Token: SeManageVolumePrivilege	1884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4988	AgentService.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe
Token: SeBackupPrivilege	3460	wbengine.exe
Token: SeRestorePrivilege	3460	wbengine.exe
Token: SeSecurityPrivilege	3460	wbengine.exe
Token: 33	4928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4928	SearchIndexer.exe
Token: SeDebugPrivilege	3760	tmpfkfb5hd_.exe
Token: SeDebugPrivilege	3760	tmpfkfb5hd_.exe
Token: SeDebugPrivilege	3760	tmpfkfb5hd_.exe
Token: SeDebugPrivilege	3760	tmpfkfb5hd_.exe
Token: SeDebugPrivilege	3760	tmpfkfb5hd_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3760	tmpfkfb5hd_.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 396	3084	tmpfkfb5hd_.exe	83
PID 3084 wrote to memory of 396	3084	tmpfkfb5hd_.exe	83
PID 3084 wrote to memory of 396	3084	tmpfkfb5hd_.exe	83
PID 3084 wrote to memory of 3796	3084	tmpfkfb5hd_.exe	84
PID 3084 wrote to memory of 3796	3084	tmpfkfb5hd_.exe	84
PID 3084 wrote to memory of 3796	3084	tmpfkfb5hd_.exe	84
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3084 wrote to memory of 3760	3084	tmpfkfb5hd_.exe	85
PID 3760 wrote to memory of 4684	3760	tmpfkfb5hd_.exe	92
PID 3760 wrote to memory of 4684	3760	tmpfkfb5hd_.exe	92
PID 3760 wrote to memory of 4684	3760	tmpfkfb5hd_.exe	92
PID 3760 wrote to memory of 4684	3760	tmpfkfb5hd_.exe	92
PID 3760 wrote to memory of 4684	3760	tmpfkfb5hd_.exe	92
PID 4928 wrote to memory of 4412	4928	SearchIndexer.exe	113
PID 4928 wrote to memory of 4412	4928	SearchIndexer.exe	113
PID 4928 wrote to memory of 960	4928	SearchIndexer.exe	114
PID 4928 wrote to memory of 960	4928	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
  2⤵
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4677d794f52d2b301ce20bb3945d859d

SHA1
13c316cbc153b53014dc390c8fff450487e9de19

SHA256
92a048196f6bec5dcfd3aeb403350565b162bc1f5bade3a256c7eac27a328c30

SHA512
0bac3d98f7d637d27981b51c44f1dabf0e56f00108b02b0e088d4eac6478b2ac266f1e07c22b57ff1abd49256b6ca10b2f3faf72d09c6511a187a3b57d39ce5d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
061ce407327661c2ac0a9e82debd8e72

SHA1
335d78dcd16f9ad5df925a2f835e20286a32f8cd

SHA256
5f462a5951d7183f0bed92f8e974d7408c8381d6d8164c947da704d4597a2aa0

SHA512
80d36809d4de2eb3c587d5483babcf155bada4323d4ae50dd31aa8a3d26202543b525f5378597bd326f900dfc1268886c98d261b6b06a166061ee0eb398a995c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
00f74b8a917c81ebb6a38bbeb41da38b

SHA1
80d22d89b16933eb1af9b235672b614a64b2c61a

SHA256
7adbcaf367e0157d085fe44e1406aae26225148c88b803f6ff64808907815d85

SHA512
410124beb9e0c19ef3cdf4721f868f69e5dd489e343e8a9faad9c56d9b40f84fb1d3c9007083b826e111f3f9251a93acd871d297e39d92fe2a053f55f17f8d51

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f6e5a3e7b2d824ecd2d97cd6945cb082

SHA1
336cf4ecec4bfd030305e50347c9659faf24461e

SHA256
a3bd2ac50bc6a82b6500420b5e79105ee58511fa9f521a2e8772647c134c4043

SHA512
c65084d890974cf783b7b28da5bda60255cf495615631b225d08cc2a7181f9adbb2f70b2ff8eac216d14494be2656dbd37d1cb44621342e342e3761987e1bb3f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d24f647a6b3db146ec7d8d2828023f49

SHA1
2b0e718c8498d6876130410af84b144d6e0b5963

SHA256
f2fa4a4cb45007855ff76808aa50a09156332ee118521c59b923ac679b0b99fa

SHA512
fdf7328af7572c51d9f952fd9b3b9e2dbe89b20ee2e98b728acb276940020ba1c8cf1e9323bdef4a5530efa3ba99ddffdd234d8135991befccc04821a7c2c7d0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a0c03a2fb45f31f82e52026b06797581

SHA1
143e2769f7af87174c76d7f265e0aecdffa72c3c

SHA256
98c26aaab78b24acde24e35c898a6c4274fddf36f8d1a5b3f14fb1b64b96bdf3

SHA512
51cb7183cc9b73524d0dba7425e8aee4507735043f6a61e8b74befe508c7ffe988c9c467f6b65f30b20b5b3825774d6b904e8b18b3dbb402ca9cf04c0a28ab5d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
de4d51b9982aa93422b8b0279d07e03d

SHA1
bd34be5a4744845869919da72a3a85b74fcb84b3

SHA256
9c3fc144f044d7fffaf655c0ac7b68f3efff2ea4846734c411ad498b9d736c25

SHA512
593ae4b5df1dc12c6dfcb7436df7234683eea742269d5649685551f2e57fe8622f5f340d749d267b145e8cfc09913dc2cc78c3feb109a2a7e777f93cf3f9748f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c9166e8898e8dccc28c7e6387a9959b1

SHA1
472b699fd7b734285cc1bccfdfb4fcf545ef862c

SHA256
43d0db2153a8c8b75a63c42fa94fed329528c00f681cef8e842364625dd90e95

SHA512
a0a60facfa0580707da8b18911972e95e8c109e9e6fce57007dff1b080cc6ed0b5cde330c2837f1ad66c8bffdd86bb493dbe72796d7a93d0d0421d3501f2b8f3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e3b304aeabefec144e74803d8cc35f1b

SHA1
1d46dda381fe5c7e3932f56b0c9c45d96d2724ec

SHA256
3d09f8071ebfc25f818feb7cf8e24e1f24fcd27e5f76a77ff0f8e3bb2a386965

SHA512
d954ee44d3eb4e36702cf818d4ea498d4363586a149262c4bdd2c9680e0ed64ee6de49d18576d3890ecbc8c0e24092e0736a8e520031b6069ba97f99a291b2bd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cdee448a736ae57615357e556b0eb197

SHA1
48898d88ee7917d3c82212f8b2b71b3f4fbe7b48

SHA256
523a931d0409d13ffd4d80ca4be51a4ab5d1ed6cd268c638917262a498627bed

SHA512
50bc61326822f931b8654ab027c3b8c4ef8b4cf832f1ca1a2c5f2d9a2217a6a4b09ce8910242c2253786d383513d9252a9e3cba03972b019de248d4bc189af6e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cdee448a736ae57615357e556b0eb197

SHA1
48898d88ee7917d3c82212f8b2b71b3f4fbe7b48

SHA256
523a931d0409d13ffd4d80ca4be51a4ab5d1ed6cd268c638917262a498627bed

SHA512
50bc61326822f931b8654ab027c3b8c4ef8b4cf832f1ca1a2c5f2d9a2217a6a4b09ce8910242c2253786d383513d9252a9e3cba03972b019de248d4bc189af6e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b016a74ba87d442b59cd2cf10bf818aa

SHA1
92af747fab52654f6fecc7ce5d1710134205a136

SHA256
68e781fec9ef94d3181772ef0607f326efd5bc111663aa0baea9b108fa5e9ea5

SHA512
13f0225cd469710e50fe28974323e68b87d8a900356a00a8afda6eafbc8e1e8064781482ff3b88debbce1bc8636e8f59aac841d6b455c94db462f6b95b4519e7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
efe4f3ea821e402e8ad341442afaef04

SHA1
c8806c1abca2af96c35269f86f2972f256fcb1cc

SHA256
1868b68bc384f1b57297a947a5a6f176764cfca686931a25c1bbe0baa04ada04

SHA512
7be2cb3d6e75f3a2a331aa18fa98890c85e31961bec38bc77a3b72ce3a99b82b350333eeab17abd04d99aad4bb24987ade02751958a02f3e466bb68bfe351a66

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ef0fd025211469f65eec34324a13596f

SHA1
c5cc41594805a8ef24b4c86decc34243f17a8d46

SHA256
6fa6e401afed5042fe9af45073fb822940a94e893582bc0694c44b38af4190b8

SHA512
9d22a8b4e89229eaec9008d92668c388d368ba366f73be92844ad4de8a2235baffbe317526edf5c0ac64e4256e4dd644ec325e577d1a83d3bbd2b26e10f79871

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fa03a3094e7a04863b7b89790dffa4c6

SHA1
03a72f97c22548932391461c34e67e9ac9cdb6e6

SHA256
b7c474e968b26a12ceb42ef36d559b315e743058c3144254a884b5484fc8d3a9

SHA512
54ebbdf44f5c97beee10c80ff16de2ce849fd0a7b8139634d7a8603bb6d5dbad98ef80871133ca26dadcd35c7de4eedb66a733bc496149b6abf9c3e6ca0127b0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4dc592a85a63ac81493386bb7b95463e

SHA1
41dc61475a289262ea84f20b97bd50a2c6e070b9

SHA256
6a00ae702cc2f46aa109ac884d7100ae88d1d35cd628cf4beda06a53c91eae0b

SHA512
f494dc1be70812b3c7ed959f856143003ca726e968406d34b7bcc63b172511306515b3b9040bad561fa33d395660854547beb5b4744c856f635939cc08b6cca8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c8bbc7d9a020cd48a74281d72b3e97b3

SHA1
82f7f5ae42201081598cf1b26c9e9c5daeb1cc70

SHA256
cad01cc27c2ec9cb758cba553c2f1bfd59c71271799c76a3f3659345c513d2ce

SHA512
c8ae866174410ae18279669283ab73bb4b4261307d662b7c1c3ee0a01e4f267ff950470ad9eac3cbe2a27a361f70873774dd1cc94554a57d8456b59f507da794

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fcb917c18dc8e52608f46ce7082ec505

SHA1
30a2ae16a01c7b017b19b441554fab7fb0001a4a

SHA256
aaac2a403e0547ad34fe51e5f5cea6fb055d56153a7a2caae12b95ca574d0d08

SHA512
0d35d0410f015776596f4d080fc0136c4cbe96ca6f0a0d4da15f5977ac5171d668c0df2543e71fcac47eb2c0a0c92cbf272c0760716b79257b13515feb9bdc5d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a495a132104c7c6934a8f305392b9653

SHA1
729972c418e0c7d2f2468a665341d38ce5326dcf

SHA256
26e787d052d0834ad903a42ef2baa9e9a34de23ef79a9a18086878bb5688c853

SHA512
e99152f347736a33125425cb07a28956b423e80c29c3a50689acfc9e26c3e2ca3591d38d2a5b9e5a240770119e754c8e0acd712d3bb45a6cc093628f55274406

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c052ca3410f3a234e44df248e57f12b1

SHA1
94b1294c95403bacbb5f5842e6e1e125e6a95329

SHA256
df0ed51e807c8f7879f248a6ec19fbd193f493711f32fb58a00e78aca06017cd

SHA512
7a5c776065227ff334efbd8e91925e1eaeaa0cc66c5a253c8f4515c25232747a37525bafeb79399297c49f218f6d76382961328fa931431494d0972f06ab818e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ae84fae952935a98b77094b75cb95afe

SHA1
05c3741aa2e44a070f5e163ff64ef5190ad64c86

SHA256
518fd5e002183c0707c2682536a16f92e5bac74ae8952c2690feb04dccea5ab3

SHA512
809bbded95f18a2b5afe8f726c005ff48f3870798d7299e895e0c08416968c7e089eaa04f84dbf69e43c0a6b24c9da52ce2a04aad734ee737077fc9ee663d5a9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0f550a93d0aebcb77b613df8d8d998b5

SHA1
685234bded7bc8e391b8e61135e3d4d8a6bfa5c8

SHA256
b89bb38f2d280b2629683d5bf43770e866aafb8aaf95801fad80280c38ad13cb

SHA512
13920c84af5c777a5acd77d14d4031f26274ec8112e21dbdcd3a72daab88a91212b75337c18c759fc2eddf3a4b5dba5aae0a164a5c9ec377df00ac51a1cc9505

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d093024b04a9403865df2c675c820d5d

SHA1
0e5bbd1c6878d2de6b4fe246474d796bff08bd9b

SHA256
aca7df02d95445ff87d1799f6bd14b79031938d1e9d0c4cf1b2b3d8d4e8400b9

SHA512
6918b99ac4175f42e43d2cf1b91f42e82776014f14a7edbff1cd4c5b1cbf250801d60a0a63c5e3ee993e68b397a135e7fd186400cd3b58c0e37c5ed7afccfc23

Download Submit
memory/780-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/960-795-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-797-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-631-0x0000018EE2370000-0x0000018EE2380000-memory.dmp

Filesize
64KB

Download
memory/960-792-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-632-0x0000018EE2380000-0x0000018EE2390000-memory.dmp

Filesize
64KB

Download
memory/960-634-0x0000018EE2380000-0x0000018EE2381000-memory.dmp

Filesize
4KB

Download
memory/960-651-0x0000018EE2380000-0x0000018EE2390000-memory.dmp

Filesize
64KB

Download
memory/960-736-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-735-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-791-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-793-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-800-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-737-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-799-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-798-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-794-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-790-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-789-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-741-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-796-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-784-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/960-788-0x0000018EE27A0000-0x0000018EE27AE000-memory.dmp

Filesize
56KB

Download
memory/1756-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1840-324-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1884-347-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2060-162-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2060-157-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2060-397-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2060-164-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2372-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2372-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-592-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2376-404-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2668-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2668-376-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3020-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3020-469-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3020-211-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3084-139-0x0000000007E20000-0x0000000007EBC000-memory.dmp

Filesize
624KB

Download
memory/3084-133-0x0000000000560000-0x00000000006D8000-memory.dmp

Filesize
1.5MB

Download
memory/3084-138-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3084-137-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/3084-134-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/3084-136-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3084-135-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/3188-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3188-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3188-224-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3188-218-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3312-198-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3312-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3312-471-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3312-192-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3388-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3388-176-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3460-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3584-200-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3584-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3584-181-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3584-187-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3584-190-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3760-372-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3760-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3760-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3760-144-0x0000000002EC0000-0x0000000002F26000-memory.dmp

Filesize
408KB

Download
memory/3760-149-0x0000000002EC0000-0x0000000002F26000-memory.dmp

Filesize
408KB

Download
memory/3760-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4564-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4564-507-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4564-233-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4588-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-215-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/4792-329-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4792-558-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4880-298-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4928-419-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4928-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4988-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5092-300-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download