blustealer | a0b3efe8781aed703dc0309955d29b7d4554e722733a556187e9cb16f25dd6c5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.5MB
MD5

581f51fd35e943a69a4c569fa8654736
SHA1

610e7579a996ea788ccb688a9dda9d4855a40a2d
SHA256

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043
SHA512

8bb8ce0f096c5a08e2457c7039f0169ae312f850e8189e240176e7a4ccf4ba113efe9f3a19e4e282ff66b60e48b0e07127270da804e0192f5ef091f7ea9e03db
SSDEEP

24576:Xbj8B+M73OglQfGmzu7SulbydbwcLxTDkU9tMMkB5lO2dMqtX1uP:XX++tglKKPwbwcLh4otmB7ldMg1C

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 21 IoCs

pid	Process
4628	alg.exe
340	DiagnosticsHub.StandardCollector.Service.exe
920	fxssvc.exe
4368	elevation_service.exe
1260	elevation_service.exe
1816	maintenanceservice.exe
952	msdtc.exe
3652	PerceptionSimulationService.exe
644	perfhost.exe
3020	locator.exe
4596	SensorDataService.exe
2312	snmptrap.exe
2836	spectrum.exe
5076	ssh-agent.exe
1780	TieringEngineService.exe
3708	AgentService.exe
3372	vds.exe
3436	vssvc.exe
4956	wbengine.exe
3912	WmiApSrv.exe
4324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\68c49c3a9a2815e1.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4648 set thread context of 4416	4648	Purchase Order 202319876.exe	91
PID 4416 set thread context of 1400	4416	Purchase Order 202319876.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c6c63ee1b7cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000538319ee1b7cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d310e5ed1b7cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ecbc2ee1b7cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000978b7eed1b7cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076f6b8f11b7cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048fdb2ed1b7cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006909daec1b7cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7f58bee1b7cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000312dc5ee1b7cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe
4416	Purchase Order 202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4416	Purchase Order 202319876.exe
Token: SeAuditPrivilege	920	fxssvc.exe
Token: SeRestorePrivilege	1780	TieringEngineService.exe
Token: SeManageVolumePrivilege	1780	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3708	AgentService.exe
Token: SeBackupPrivilege	3436	vssvc.exe
Token: SeRestorePrivilege	3436	vssvc.exe
Token: SeAuditPrivilege	3436	vssvc.exe
Token: SeBackupPrivilege	4956	wbengine.exe
Token: SeRestorePrivilege	4956	wbengine.exe
Token: SeSecurityPrivilege	4956	wbengine.exe
Token: 33	4324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeDebugPrivilege	4416	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4416	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4416	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4416	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4416	Purchase Order 202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4416	Purchase Order 202319876.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4648 wrote to memory of 4416	4648	Purchase Order 202319876.exe	91
PID 4416 wrote to memory of 1400	4416	Purchase Order 202319876.exe	97
PID 4416 wrote to memory of 1400	4416	Purchase Order 202319876.exe	97
PID 4416 wrote to memory of 1400	4416	Purchase Order 202319876.exe	97
PID 4416 wrote to memory of 1400	4416	Purchase Order 202319876.exe	97
PID 4416 wrote to memory of 1400	4416	Purchase Order 202319876.exe	97
PID 4324 wrote to memory of 2904	4324	SearchIndexer.exe	119
PID 4324 wrote to memory of 2904	4324	SearchIndexer.exe	119
PID 4324 wrote to memory of 4256	4324	SearchIndexer.exe	120
PID 4324 wrote to memory of 4256	4324	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4456

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.7MB

MD5
f6950bbf9aefff5ca61ad9cb221e0110

SHA1
fc42694b73143869ea9b93ef88fb69a071d90150

SHA256
11edea6c2da4b68989355fbf43da103e287feb4ac5a946ed7b59d192e55346c7

SHA512
6aad79270a69f71b646aea2841a213d2654ba27e7d9093030ebcf747c68d8451eb1494423455fbec47d2967b4415efd874aaecf2d2707b800d862083c87dcbf4

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Filesize
1.4MB

MD5
86a944bcbf7185aa5aae32d4c53b9244

SHA1
9b6ae45765d1014e099b16ed6d731d6d43f37d54

SHA256
deb84ef4d75182e1cd6631dd44bc5f16807e04847e9e54f81d99e32c2703fc61

SHA512
bb5b0cba4a802999dc2bafb5f242309a2504df54202391b9b5a4a49ec3605356c638992825aaf089ff6a544bcc175b68d847fda0dc1886e9a5ff53e5661efe5d

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Filesize
1.1MB

MD5
c78f4d7da75514bc2b8b6898992d48a6

SHA1
df259c360e144ffd4f98d42c7c95ae3b8738b25c

SHA256
9e9bc6d2b36ed9604270154c702c0f17e790575430ba6105fc5bb46e29652164

SHA512
42f8439bae6bce249a0df1bfe63e1f2ac86999999914ea7d6cc5095e844ee1e7eb6504dfea3df9bdf7dc2397a2a400cf2d8187ef907f0c2280178ba5bc37e8bf

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

Filesize
1.2MB

MD5
41652e1a4346f832e3807f7975a2f781

SHA1
1095141140aaac823fd78a7fedd3b172cd88372f

SHA256
bed502d3e46e489f9a7893cef84d6918b220db23e164509b24dbdd526bee1125

SHA512
816e1607cd55966d0e9ea0d808133898559057f4519f20e0e4f848ac1d88dc960a2fadb65a8328e31e86d8f2a02f748a25ecadfdf602db2121ed84e7310fb431

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe

Filesize
640KB

MD5
54811f2194b75a38118c923a2f34a7c5

SHA1
6d9f0c078854a6b92546494d039d673b963135e7

SHA256
b9b68c27405ed37f6f6300518d36a1ae61ab919c26aa2318be64fbcce6bb6358

SHA512
664f48d2ebdfa5f407627afdb19dd496c2b4d528b080f5e76f64805a092ad814c0cb759cca107d8bda812b7d8ee0aeaae670348ecdbe8a11a4f0a7f526da809a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe

Filesize
640KB

MD5
4e5d055c1fd3f962819c109bfdfb220b

SHA1
249e74a420f83aaa83d7dff3ac10c5fda31a6803

SHA256
a1e57c2296bd663411dd3e4be16242f35392136eeb9295f959c07fdd0293e05f

SHA512
ec4a0f79d6ed14f27e5e64b16a15c455ee584a036b7f7588261526d35759a69c417f1f7bd7a766c75f0359977393d30567e061755fe9876803d27104a17da15a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe

Filesize
640KB

MD5
d7665bcf44a6fd7be475687665c60405

SHA1
74fe1338c665fa0784b66b4717ad4be797480697

SHA256
27f9934efe9b5d95b05db5d1ee1daf34a6b9e55f290e6bc01eead15071dafb3a

SHA512
43d29db6c5d4829f6fcf097394fff39e56e392364d5719fadb4899baf508ee4a856c0a52916c1490747a6eec5eff1ddd9d9fc79ad1c55d09c790683479d736ca

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
640KB

MD5
fa9836035452614e4251a61fe5bb23e4

SHA1
db780e9aafc531d84cbf8b3ee10009f9d8354941

SHA256
a5d02094960b585449fdb0866ee4e3552e17d5c5d33be724299e4ee638b5a34e

SHA512
cec12aee99d8e7ba8105890c5eade7d42f7b89796d193e104aaf87f4a4f8241c36c4e09ce0d7fff6edc7a6c2334ecb69f02352b35991c04b77d4dc06f6f94143

Download Submit
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe

Filesize
640KB

MD5
0dbf51f40824e1955d7e91f6e2e3156f

SHA1
110bbaca9f043474a46bd8932c867e3c915beec0

SHA256
6808f17b9f5d61eeae0a121ffb6f42eaccee312e0ef7308e12349c0adcaaa4a7

SHA512
13a0a877b9fb7498c33c0a1cd21290710313d42697df7f9182957112d2893dc5709f904894ed62681840c793a7c4b010ad0831d499f681fe242be2dc86e663c6

Download Submit
C:\Program Files (x86)\Google\Update\Install\{71ADFEE3-430E-4776-83B2-F32638BD7B7F}\chrome_installer.exe

Filesize
578KB

MD5
3f253068ec8fae8d9a8acda85f1776b2

SHA1
730b6ed42b6c6d4d457596eb05b120382702e243

SHA256
89a73d694b6fa3108ac09f56d33b89003a29b0b6e9ebd864f49125b6fecaf2a9

SHA512
2be39cb55e037bb9cd9c10a71ae8cdb2d90cc4cba8447dd410da491feccb47d2c485a7b76cace66b73ee34acbd619ab7957eaed164a7bbf25c4ee2b74def8675

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e40b088615a0df0b4c00e247a0de3467

SHA1
aa8500cba50d2ec9f8d36ffb895068d1c71a542b

SHA256
1626c2db98ac4e01c69333bee425d7bd010e4b44f5ef2f4fa448361670c22c65

SHA512
073470e4181b105cc8b018c450f119238062b179dbab2a7cdc59926563601e98b28e646f84de4573a0219df71cf2b210e387593911775cc624992f9942e1a1a0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c38d3c2d2c7835ff0ec057fbf8db29c4

SHA1
eb57754c33c6ec5accda82e3127278164dcaf5b1

SHA256
93e0a1cedddd011495eb87e72762aeb625ac30521e2ccbea4eba1e54adec6258

SHA512
b25ebce47894611ae42761a332e3d107cc57364b06edd26749f7fc32718ea1b4d2e20f60f7703ecb639fa065a90ba1160965780c925f00ab7949fd2a547ae583

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c38d3c2d2c7835ff0ec057fbf8db29c4

SHA1
eb57754c33c6ec5accda82e3127278164dcaf5b1

SHA256
93e0a1cedddd011495eb87e72762aeb625ac30521e2ccbea4eba1e54adec6258

SHA512
b25ebce47894611ae42761a332e3d107cc57364b06edd26749f7fc32718ea1b4d2e20f60f7703ecb639fa065a90ba1160965780c925f00ab7949fd2a547ae583

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c76f141345b0934a4971d64d0840e834

SHA1
9578aada0e2aa318ce8184fe29052e308b35abbf

SHA256
55ae2a9625cae3f1071e1a945262f3767c9691d1a69ec696aa103151dd9ec791

SHA512
1fd791730eb8c0a49b287bc354f0f13ea03c04dfb546020e1cf06819ea42764801c6bc6cb8f8ace62b4c0a57de17757ef216840daf26b2cf56313b0896efe813

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ec1e8130cca290e8b9f2b6d25778728c

SHA1
2af384cb7dc5d14ced629b2a723cd955f0909ae5

SHA256
b74d46b9ba094c7084a79e6d691dc365fd3e825948e4962c430583f87692f743

SHA512
349ead487d7ba80221e34009d1f1278815e9ec773ec3098b529cd33fe27bb5f7bc8677c1f15f029eb9aeac052d6d68e3c93b1ac3d096661c8927f21b52ce5847

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
66d7613351bb4bf3366153e2832cb5dc

SHA1
2f9810d86e4968177ee1d1988e1bfa8b888a1b88

SHA256
0f81a5f233ad0f3723e8fc3519548093d42133b39a7da068ea79cb65b87b92c4

SHA512
9a37cc98b03f6779d31ebcf615817503ce3088838aa30bac64add6bdc94711275269d6f9f1c79bc506aedb80ab609916952aa2cfb46ec9a30490771f1c9b2a76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b4f6c67ef03fceb9291e593070b27391

SHA1
b9210f59af21e46d1193728e03d1c8bf310158a2

SHA256
5c3697817df8e2da3cb52bcc59745061e07aa6164ea347f81461a9eb661eed69

SHA512
e5135cb5b0b9e63c900fac9d9d032c845dca2f1e85daa4513c9937fbcf321114a26716c072ab279b4f7a1a647981cd59c6117e78e08b39e8070e907465afb50e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1bacdd7fd63185919fa704eb3c23316d

SHA1
5ad456641b02c81525540db3ec4ffb574dd02222

SHA256
2a249a6481d578bf5d09e34428ef4a34eaba75b4bc1307ef11fef6fdba8b330d

SHA512
1046abc4d821bf3d3840f9852766a250085df53723d3f69d94999395cb9bf9b8eb3614c0f86f16de868ff009dd97a976489d2bfc55c8e501c345c2a8250a05e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e6e797d1c3c1bb32e075a4e247de8da9

SHA1
4c8817700d10250f6cae6488031360aa5c3a8638

SHA256
0dda03d592873240ccdf2e2641cf9553943e2df519494ea6f9469e03452f3650

SHA512
75ea80d2fd460832cea853c970a54d6776532615110424352b55983e431039116838592cef26cd8013547f3b8783df45001e381b89872fb2aa8886a998f81bcc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bed3b3214f5ac0f1f08fb60d8e0bc903

SHA1
c3dff68a78b4be898f0ff0921ab350d6bd052294

SHA256
d358f37af938504f5d65269a05fd9e3498d37314f90b4271dc451966c3a1ce9e

SHA512
650b9df2ea188d9246f2f4c3173e607d1c6d89c77e582c67b8e472858cfa3c4da0a3936ddea89ebeb899222e1ca1f61a33c3473b8d81c843d2de3ff1f1abbd26

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
43a50ce7408a3386724521f73fc1a984

SHA1
797387e4e224a6970953cce0de97a14327ca8d0d

SHA256
0d1ad5b971ed0ad1d6cbc094d28e3c55a285eb85fcf8682cab8a4ef67a383e6f

SHA512
955284d1d3dff2a36431e394ee989939a9eaf8d78e2797988ce4275c3886af2fdaee2f5de231e0c5081a35c2a7ad9950f5ab8fb208675d39c5351a7761dee9af

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
43a50ce7408a3386724521f73fc1a984

SHA1
797387e4e224a6970953cce0de97a14327ca8d0d

SHA256
0d1ad5b971ed0ad1d6cbc094d28e3c55a285eb85fcf8682cab8a4ef67a383e6f

SHA512
955284d1d3dff2a36431e394ee989939a9eaf8d78e2797988ce4275c3886af2fdaee2f5de231e0c5081a35c2a7ad9950f5ab8fb208675d39c5351a7761dee9af

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
31f8815d08c9db0d755a88548f7fd11b

SHA1
eadf6ee5b3e350f9fa57465fe93e727c10037178

SHA256
904bcf64ba25a00dd24fd8885da91e8c6ba8ab89a53788f54b101f8feec12abf

SHA512
b95f87ee12085ce9ecb1d43ede12192f39b91a3a3cf2a43f252793078685cbbac9dcdab32f1af635a22e3db1f1cda98f90f4f525d12b01c0f2d3d06a665c3ae8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e1623412b9ac4282fa02955affee3295

SHA1
60cde4ee51ba82a23d7314489882b794ca50e5ad

SHA256
dc9239919807ea6ea99285d93b0480d08f915b03908348e290f0150f64e0c690

SHA512
78f0b5d44629906b1f305823e299f9c872fb284edb324b9ed9b5e98d632f6cd6fb27ded90d08dfd2b33466a7dc89909ee19ffbe93e4ce3f28ca7c41e04478c82

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
27293a2cb1e8afd6fd09af639227ab7a

SHA1
3b510077333b36015d19f685bf7a3bd72156322a

SHA256
0e818c22506fc296c6e3519408dc10e018a1031a601c9fbfd4fe2493240c165c

SHA512
80f270f3539efdaeab9c65724242e9ae24f055f3758ed749281a7b2c9b7c2428659db1f8e7547027cfe43946ecf5ac59293b70af62827dd86245398a30915d2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
27293a2cb1e8afd6fd09af639227ab7a

SHA1
3b510077333b36015d19f685bf7a3bd72156322a

SHA256
0e818c22506fc296c6e3519408dc10e018a1031a601c9fbfd4fe2493240c165c

SHA512
80f270f3539efdaeab9c65724242e9ae24f055f3758ed749281a7b2c9b7c2428659db1f8e7547027cfe43946ecf5ac59293b70af62827dd86245398a30915d2d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1b5b7a6111bd18f81f8304985d67c654

SHA1
67041171d32bf14016c4f3bb638f3f3ea5fc6016

SHA256
e0ce79576048c7cc236e16efb041291c9768a5f02a25a76f9190523ee6478f34

SHA512
bdc950b06675b71361c1d1dd1b1bcc2954f4552856a20acc7264b7a27c69b5d7206c3e9e88608c66c910c6f21bb262ab799b17ba12cd126e031c60e32c4028a0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ab85fbe538007161a9b73d1c5aef3cce

SHA1
6fa5244433d143a1d1fffeb330b7a604e05ce150

SHA256
e6609ce6662167c64902c2e370b290bb46386da4f7a033a12928427314089e41

SHA512
9df3e6a3cd3dbcd4688bbaae801025c9f5eabcde5ec140e1fac221da2994f1c5924b99125a4ecf63669e484d96c4f91ee91a6e097fc1320389ac9732e7b5660c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e8aceec3888445244f567a11f6007892

SHA1
c170a91bc78c915d8933951027c90169fa1e3431

SHA256
bef31180e22612ee5333707fd3a452942bb3c8e9d9f3b001de9fa9df59aea3a7

SHA512
86b315378803c32847238afe2d76cb2dafe442144d0b90a732fcc3f1635280d18ad1c3aad0e72ea29aee5dc12b61fe7fc93e0b941c85e96916481cc4614ce337

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
53cd8e0838976d0f3dee9c411b6730b5

SHA1
ffea31beb4b556407e2d78aa4b0b9404133fffdf

SHA256
15685cc13ec9fc774c8a9189638cd1d524b70a35fbf1d6af1afe04f055bb94b3

SHA512
48bbcd6ca8fc2cee60b43a232293e2efa329949812f634d71fd7606bd6c9b0c21b10b71aa722ec2194da58eebb23e0d19a5c524002fb4a87cf2d18178d612b7b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4ef1da1c39915f93f50e174ecb8c3b89

SHA1
c1181844e366a0018b1f2114f8aba80e85a42540

SHA256
6f7ef4abb5bd8b4adde34f7b5bf89c640cfe7c3e739b568ad16457621bb39bdd

SHA512
8b531b5f00af73e1f5e109b53b2301d6ff3770caf52f0b74404e18b2213a6cfa421a2479681205d6e93fbee55f704263a8fff3e74ade872201136d44da910863

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
01bdae02971f6f6380b6033cb36b0400

SHA1
1a45243c4cf3b11843ff18a06e4795299df4fb87

SHA256
e7e71e0cbf90ccf0b465cfcd6bbf1164bb8cc13ec29ba59b4c731ab86eefe7d0

SHA512
bb30540ce6f4c0f49cc0401f9af428e8ac2ad93d5483f8d5bcfa5f40f1696230990120d9beb9fb3642b0ba65b4dbd58c6ea58c12984253982072514c32d0ab75

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
64a18d21b0d75ab31d5584755c79640c

SHA1
db81af77c51d6651c46714c6e6f9dbe6366e2f15

SHA256
6adc6bd9898641c8a0592241e466f2cd7aa5df134fa244b3ec94a3e813963c19

SHA512
47a8c7a7d0c9ccf77a338a966bcdc536fb113e59e51418b09fbc873cdedc9433edadf03a40e2881929917c77ae8e1c38b72df4eefcdfb1e54ca2a93a8c108492

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b2e5c654dc98ce6119a021efc9fb1820

SHA1
be811bcc07d1a036dfe1fa9b4e51b8be65c13e31

SHA256
df076b52f1ef1c01ef4fdf7cc43affc361c5e7252c95320626e3ecfb5e594d53

SHA512
1f824b7b23569f177d51ca84f4dd1b0c87b645334294bcb314226ee55741a442dee22fccb61b4302646acc5c45f73a64562def93bb7257a392139782c141a3f1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d87bfa816b7a83790326f1f0bda2f2d

SHA1
c82559f9f0beefb17e1e721fd016b97ad915c10d

SHA256
434218e2a015a0f290754a3edd4b993825a81fc7168ca47b274713d414329519

SHA512
f5174dd7a9951981447a183cfd034d0d356c0f937d8f84c2cfba9171354686914eb30a34f66765b09dd6578665684a5b8710f1efef8142d851f38bd5f48137ed

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
b4f6c67ef03fceb9291e593070b27391

SHA1
b9210f59af21e46d1193728e03d1c8bf310158a2

SHA256
5c3697817df8e2da3cb52bcc59745061e07aa6164ea347f81461a9eb661eed69

SHA512
e5135cb5b0b9e63c900fac9d9d032c845dca2f1e85daa4513c9937fbcf321114a26716c072ab279b4f7a1a647981cd59c6117e78e08b39e8070e907465afb50e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6f8853f976ea4181a0fa4adc37024241

SHA1
e63e956c1cb0af67ef4742b0ac673727f74bbf25

SHA256
7633e074efab9599540f060d76f6b4b52d3a1734ed9db350e60af4318fed9e50

SHA512
14b6865265a6d29518ec8dd7292e7dedd8e7b5a95d90c8355e8eab912ec2ed521c7e9f72e9c279142f1f057fbff3fa4aa28e9327b9a42166254903ec8962dc46

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
852c3bcaed1f2fbf7e70f7c24b6b28fb

SHA1
866e6bbf2be4bb8c1389c4c1d6e75d6b01c88995

SHA256
d1b51990df0ddd0436793e783290a9a025130560a3c20ecf40ebb92bd06e4c71

SHA512
3d3dbf07871039eeaa70b6e6b93c7f6bc48e9d474dd44bce4d42fceaf96154bb69d2524f1888b3eb35bb74b66b3990165476f10c1eb6b07adb1a828967fa5a8e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e6e797d1c3c1bb32e075a4e247de8da9

SHA1
4c8817700d10250f6cae6488031360aa5c3a8638

SHA256
0dda03d592873240ccdf2e2641cf9553943e2df519494ea6f9469e03452f3650

SHA512
75ea80d2fd460832cea853c970a54d6776532615110424352b55983e431039116838592cef26cd8013547f3b8783df45001e381b89872fb2aa8886a998f81bcc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ee0b3815d43b88bb032b17d75818e831

SHA1
6981b54cdfe8da2c33d5b37e884352845a189a0f

SHA256
01a5672c4632dd52b3f371eca24ba4960ee0eba486d9a712c0ca8202e1585ee5

SHA512
5c43efb9c8b54458e62af0f0773df3a3405171ebc8494644b614ea001502bdf7a9b61a1fdeeed1a6b74ce077b0a0895511d96dd609d8e5554bd3f01d89574899

Download Submit
memory/340-440-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/340-169-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/340-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/340-177-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/644-278-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/920-201-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/920-181-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/920-187-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/920-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/920-205-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/952-234-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/952-238-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1260-462-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1260-220-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1260-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1260-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1400-203-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/1780-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1816-226-0x00000000015A0000-0x0000000001600000-memory.dmp

Filesize
384KB

Download
memory/1816-218-0x00000000015A0000-0x0000000001600000-memory.dmp

Filesize
384KB

Download
memory/1816-222-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1816-229-0x00000000015A0000-0x0000000001600000-memory.dmp

Filesize
384KB

Download
memory/1816-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2312-302-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2532-276-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2836-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2836-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3020-281-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3372-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3436-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3436-522-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3652-277-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3708-349-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3912-524-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3912-412-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4256-725-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-719-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-722-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-712-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-713-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-720-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-520-0x000001FE76140000-0x000001FE76150000-memory.dmp

Filesize
64KB

Download
memory/4256-521-0x000001FE76160000-0x000001FE76161000-memory.dmp

Filesize
4KB

Download
memory/4256-726-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-721-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-727-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-711-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-576-0x000001FE76160000-0x000001FE76161000-memory.dmp

Filesize
4KB

Download
memory/4256-687-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-691-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4256-692-0x000001FE76380000-0x000001FE76390000-memory.dmp

Filesize
64KB

Download
memory/4324-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4324-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4368-191-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4368-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4368-458-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4368-199-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4416-150-0x0000000001460000-0x00000000014C6000-memory.dmp

Filesize
408KB

Download
memory/4416-145-0x0000000001460000-0x00000000014C6000-memory.dmp

Filesize
408KB

Download
memory/4416-408-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4416-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4416-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4416-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4596-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-301-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4628-163-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4628-157-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4648-133-0x0000000000900000-0x0000000000A7E000-memory.dmp

Filesize
1.5MB

Download
memory/4648-139-0x00000000074D0000-0x000000000756C000-memory.dmp

Filesize
624KB

Download
memory/4648-138-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4648-137-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4648-136-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/4648-135-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/4648-134-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4956-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4956-381-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5076-471-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5076-321-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download