blustealer | 164790d71da9d108d7baa215cf5336f0fd568d542cd18752688f9f7769dc28b7

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Size

1.5MB
MD5

39810b7912907fc879004874df0e9e9e
SHA1

f2e51d5e9f644058a8ff4d64458e2914ddf2a364
SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
SHA512

abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
SSDEEP

24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 16 IoCs

pid	Process
2312	alg.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
4100	fxssvc.exe
3828	elevation_service.exe
2844	elevation_service.exe
2068	vssvc.exe
5048	msdtc.exe
2204	OSE.EXE
2696	PerceptionSimulationService.exe
672	locator.exe
4940	snmptrap.exe
4220	ssh-agent.exe
1972	TieringEngineService.exe
836	vds.exe
636	wbengine.exe
2004	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\System32\alg.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\locator.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ad8ac3350d0d086.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4980 set thread context of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 3428 set thread context of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045c29088557dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e6f0f8e557dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023784488557dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f746278e557dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045d78488557dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2022f88557dd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059a9f988557dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b306089557dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeTakeOwnershipPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeAuditPrivilege	4100	fxssvc.exe
Token: SeRestorePrivilege	1972	TieringEngineService.exe
Token: SeManageVolumePrivilege	1972	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3824	AgentService.exe
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeBackupPrivilege	636	wbengine.exe
Token: SeRestorePrivilege	636	wbengine.exe
Token: SeSecurityPrivilege	636	wbengine.exe
Token: 33	2004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2004	SearchIndexer.exe
Token: SeDebugPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeDebugPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeDebugPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeDebugPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
Token: SeDebugPrivilege	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4788	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	89
PID 4980 wrote to memory of 4788	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	89
PID 4980 wrote to memory of 4788	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	89
PID 4980 wrote to memory of 3132	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	90
PID 4980 wrote to memory of 3132	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	90
PID 4980 wrote to memory of 3132	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	90
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 4980 wrote to memory of 3428	4980	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	91
PID 3428 wrote to memory of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120
PID 3428 wrote to memory of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120
PID 3428 wrote to memory of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120
PID 3428 wrote to memory of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120
PID 3428 wrote to memory of 4432	3428	bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe	120
PID 2004 wrote to memory of 3588	2004	SearchIndexer.exe	121
PID 2004 wrote to memory of 3588	2004	SearchIndexer.exe	121
PID 2004 wrote to memory of 1420	2004	SearchIndexer.exe	122
PID 2004 wrote to memory of 1420	2004	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
"C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
  "C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe"
  2⤵
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
  "C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe"
  2⤵
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe
  "C:\Users\Admin\AppData\Local\Temp\bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2168

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Checks SCSI registry key(s)
PID:864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:4788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6e632b84673937381e64a171f666c06a

SHA1
ae1971269548f64ae2773e8696af644e6e904ca5

SHA256
f85357d7a62d4b74b7516a938a88cab44fd8810a5d5a4046fe6dbd1580eb0067

SHA512
b8dd6441661c6b1e8c8d1102c5bf763c783c05830c59ae462bdd201c4edd86246ed3882e8424474658ed7f9b958d2e1f73c11a29ea32d380fad30e9fb7480228

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cd234a0c12cb1fe0adacb43d9f8b3ed8

SHA1
2bbfd4c9cbd91e1ae408bd13cc97ff86397b5c3c

SHA256
60cf60210499c75e2eff3a4f329f9eefe58ff662d7583e78ba2dff8f7eefc2be

SHA512
210f58cd2ffa0003fa68372fc951fdedf278dab38f259ab91172182b2b13589385b461be895f6039cccb75c67f5fcf5aae550c4e8228c9ec7f9528ab5e55f904

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cd234a0c12cb1fe0adacb43d9f8b3ed8

SHA1
2bbfd4c9cbd91e1ae408bd13cc97ff86397b5c3c

SHA256
60cf60210499c75e2eff3a4f329f9eefe58ff662d7583e78ba2dff8f7eefc2be

SHA512
210f58cd2ffa0003fa68372fc951fdedf278dab38f259ab91172182b2b13589385b461be895f6039cccb75c67f5fcf5aae550c4e8228c9ec7f9528ab5e55f904

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
63eda14300e59dd8d9693d4c250ac0b6

SHA1
b44bedd2aa9eaa07d9278954bd81f3f1ca56efed

SHA256
2059d1d32f4a37ca358dee2ca3834a9faf974080a398676f9ec312796c33d383

SHA512
865a28d6b140606a032fe4204a1c7afddae2fd5e2e35fbd5fba98c5c1a811f195e80c216a66031895d598d50530d722a037553b6ce0d81b54ea9ec58dac2d5b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5fc1d01d90a3ccd76b6bcd8a8fb39c5e

SHA1
6d411991f9928b2b24ab7f2a49c11eb83b32c678

SHA256
73bb0c1697a0e1af8dd3f9541e5eb15f3613480252a9e03bbc03d4b533aa7e26

SHA512
859aa46816cd8f203bfc45e176dfcc8f16bd571a459b1dd7a1fcfa5cd4e33ed8f3fa20315d5fab850c5e47e4aba2eff9e9879ae7685f9104ded7072b0ea969b4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4fd3986c6a2d96078c092e3acac1a533

SHA1
16339b60988e1f0063b862121721547874cb9d14

SHA256
8a7f5f6277090db287895ec3e5354b725accbfcba78717b9c2c0aaf5d60419ee

SHA512
d7e44c7a4c23c82f7ab0a054e9c638d38a574145299766830e625410a45046456675e21e206e72ff263b4b561bff9eb9ee9fd2aa461816be4fc864ac5882e242

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
f8aeeab1b34ec66fde0bf9470731af91

SHA1
64944d074bdd6950c94ef2b9ed5c4a88f8ed3c33

SHA256
72f845270e25039ab2d5d5db76272c2d2b90e0c09dda56c9883fbc05d2231781

SHA512
09488036f831766cdde4b85eb5fed7d73a6fb644b8bc986993fafba053e0959830149b03e6cdeb624135ab9e384efd37e1234ea550909abd50a8ce10b9ab81e6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
81866d10cb4a3e0c3511b84c5415b8a1

SHA1
bcda6df2e896928a824cad23930a9383f71bb1cf

SHA256
d7d3fbae796e6468a44c89eb589a2ae482a4cbfe8a1449e4746a1fb0a87ee4eb

SHA512
fea0f80523c1e17e49d84a2120d4f9cb3d8685e1ef57a864eaccdfd275df0f8a99d26acb1093428e64d7c43076e4e02de2c5fcc546adca26eff918dd72330d88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3ea6d19aa9e027ea2609ef8e0eacfc09

SHA1
64bdb1f858239b35ee4d83e7c74822e64d35a08a

SHA256
fa90f65d943a32a34c352f8bdbcac61f800b2ff22e6fcf2776c592cb6e562590

SHA512
7f35f5e572a6a0fb75e22eff52e0f0327fcf24f12ffac2e343c3048c7b9a48405bcd37945ba5b182891e7b9b4ec8eceaaae4f6765aa4917f968c68f3664183ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e82919ce6b211a685b0b54764fb12262

SHA1
d01d724e30dec9f32afe4130a3d84faf5a890027

SHA256
044ccc1294e1cfc8485e5d026cfc64d82e830b8c623488585a38e970190266b2

SHA512
0140a1ad6d7c270e4b17d6c39ecc0210fda486ca1946f53c69f5aeb95c417c81335ab8a49add11c82c9315ab7f69091828ffc0db252cbbe14e28910f019caf69

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9c51b71f2cb8e94cb5b8e987d7e51d89

SHA1
4acf855fefdde3eb7d2067d57bf0f670f925e8b0

SHA256
0a8cb1febd9641fb868b30e772b581c9bf8a07d85373252e620d8c2d2f28ce5a

SHA512
75281d5a9287fd69fdd2698e8f421f8ea7a02406510545a632ad3ff19534b20b2609ecb3cee668e0ea191d07e28ba74d31e2213f032c7a4d077d31f346404034

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
308ba072505691d42c991909147b8437

SHA1
8b4cab47379b49c4be736ca5d78d39aac888fef8

SHA256
8d9d5ac5418c3f47b7bc8654323b17645fa3e7ea95e3382be18ea2f5ae441311

SHA512
6b0df636fdf3d7e4585075516bbc0ed533b84cbe37c8644c28e2126f38384e878550310e52115aa0d271584692fe83e925e2749f93697970e44bffd907641089

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
0fff6f5abcc0c9f398ee67978a7eb8fb

SHA1
a202bc8fdf31509d549e29cf73eb3281cc72ce4f

SHA256
b51e2b4a1492da8e4a88dc1edde70671526597bda1ad0345326b243cced149dc

SHA512
9f01b59b624e14f0710edc4c91348fb195caf325e1de95569371630da3f3c37104fc4487a48a489177ac91ce36cd9c7fee85b4255c69333177ee13c92ce12507

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
e3fe98420d239793280ed8d90938b1d6

SHA1
e82d2d482f52ffd4bf04c28f009d909aad36e03a

SHA256
1a3500c3de48639dad4c2f960f051ae35c68e4befd4892f61aa76597d410bc43

SHA512
17081612eedab170353a735fb92d453c79015f2ad52278330c4e9dabd20a95d9720d7a5f9dede46b79041d07848aeaf53e38f812b9247e48f40e59d72b699932

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
5f3a8fa32ceac4ddcabde5519b42edce

SHA1
cfb26b2db28066d80fcbaabfe21b5c56aa2a3dbc

SHA256
191a6cb2a2a3597e1106f768c1ce1b3847ec511c46e5f68f3b0c58a88a3fc6f6

SHA512
611967ce4ea492df4d54de17ae2b6a3c5c47121438cc85ac5511652b76f3375adb83d5c38646e21d4f54b890979bc3cb768bec7d6a26482eca0ac5caedd0fba6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
c569158550db2d10abab344b5ad1e2e7

SHA1
ee895654bb4e36afb0350f404e7cd719ecfb1eec

SHA256
37c2ffc6f0ab40e75eb0622384d7897dd57dfc93ff4f8e1112eed0d75011f9a1

SHA512
38ffc7e94ea252b44fe8f033bc98b26e021827da6b6659d36e562a0b560f8e275270640c9ae8e715242ba0ab4c8b97442ca18ea796136c77d3ea6a6ed8619888

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
52c892d61ab1774c50bda8812f5aa4c8

SHA1
94a1f928ddcef2211b487abdee0ca1dcfc34797e

SHA256
89be2c1e1ae5cdfc37037c696835eb88621c73bf7086bd3e85c3a0e6fb6dcf98

SHA512
2d10379856d96d76e698bc900068ef44ed00feccf8a32d653383761aa5c83d65209c6594e425c007fdbe515ae05cc46663f2d52a9e774b06bc4c94c0070d13f3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
49c502316cc35da92ae274ad6695a788

SHA1
80746119d33877b2b053a20db5326a8ed8c0feef

SHA256
623bfcebc2c3594cf70737ad93c37027b8399229fb6a2940c86b70cf3f3e01ed

SHA512
e926bdfd36664a1cd071f15b6e64e4f15800539ccedb95c1d814d2dc7a3c477e3e0ed9b0f2c21a34dae420355c93ba0bda317cdfde84bb994b67e1a671008e7f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
8b181aeaaf25ad83bc1348c7a7e29fac

SHA1
e759bb0d1bcaef939ef2877846266cf4f5bee748

SHA256
f145aae4eb20543b1af88ecdc6f884d268894fc2df2390bbbcf0efc6ced56554

SHA512
a9a46bb5cceb6cc84b5f79a820d4892cbc0cf7b46a6d75c2e9cc38dc18a5889df9fd368170ebf4f820dfad58025f1794b6649f41006270a7fd9f08ef9aa90534

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
6ee1d71592a0c7083e663f371e08f353

SHA1
ca241385f4414f08528df9b14471bf7338bd9cbc

SHA256
81fe85d18a83a5f7d4ce5b9d3d60d7360ce3a4c85a5ed4321642c4a4eed27b5f

SHA512
cf20b4a8c5eecd894b2a4c5c2ec23b747abaf7c6eea12b2a567f7aeb73b674fef97abf37e67cf3403f5b91a27ca023da95eea625d3737474a0925053fec36211

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
2764d3850b8c5d05e1085666baf02c1f

SHA1
e41eecdbf2cf128d0e362e0468538e5d0475518f

SHA256
b59464e3f2ab9789083137e1155e838502c5a648e7960f9390f045e0949485ea

SHA512
5bd8181d4d601793656f2f57971781df90844a49d8b6f8198cbbb6bb64e19fc4a3823e1c44c2e4401d2976331447ccb6bf8fbad955f9d8d993b831d41368e1db

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
d76ac62ed3768c055e2e0b944c3647e5

SHA1
c080d98259f39fa10136a6ebe04dfd5e8f0ab995

SHA256
7369d1814403e8bda29614bcb9eaa577d282ad8d043e11ac1f132dbe84dc81a7

SHA512
620d185e3545a2b40e35084732d3f78d6277dfdeb59796fb731c76eb2d4fe1be3f3ace0e003a48bf6c63b13d33dfb99de4053a22676b2b6ebc0d3c5a8d36d89b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
335795fe0991028457b4744fe249f547

SHA1
f3278db32dac69c9b6fe58d8f92c69a12e066c0e

SHA256
625fa981af727d1437d671b5df40cbdd4905ad20582f21a75b54ae41318e45ee

SHA512
8deae9ba80d9959421c7db865eacaa26139cf9a1cbe7f94986c49bba64f4f5ba3cc89698ed30033abfe2b582befc10d8ceda5337480ea0c14590a14fe99b2384

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
446e1ec16431d67d81477637806319e9

SHA1
b11974879cd49846ae43d6c8e16a1c4e057dbdcd

SHA256
66542a7c85b213d10c992a0931677e979591a56e6d229b11e3dd7a62128559f9

SHA512
bd7f63e597e0b3ef645f018c836b2a70bccc337009c53b5679e1a4cc5e0c2adb2d5d01c256338ec9be35d70b248dacce1275e236ea502cf63ba9fea3cc5da7de

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
a57a6bdfa9382b8f4207852c30eaae27

SHA1
935623e4026a73c98b348583baca4383ccaa01dc

SHA256
726170eb0de2a69b70275f68fe9550eb94b772fbaafe0261adac56149696b2be

SHA512
e044935dac43eb486bf16b36398e99bb1bdf09f4f8cb1ca9d37febf1b2bdd0eed7a61cbf1cdf6b8d310c5b4dcc119b72c2ce548c7091a3e1d1f8834d8793ab58

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
b371b29a16914ac0f93525ab2d03d9f7

SHA1
4f3f135c1e660be6f9bb11c9b9277ba850f6a453

SHA256
2853e5caadfb29dde609e82abb1adc69760d31cd64c61cbcadd59d747cdd7547

SHA512
0be28670e3ad8e2950aa5e2eacf1179086f658a072a22ef27df21de9925bd5857340bf8865d41926efa9b5cb1f79d8abab5840aea0580ac1642c794e46289170

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe

Filesize
1.2MB

MD5
b5f9d229c05acef4cd50ecb0f7fb4c2c

SHA1
ae72cc680610400a81b0b2d6355f2347d155805b

SHA256
c0e8ecf77af6ee120b1c301c35044f79bf013702415ceb56acafa4cc44198f8c

SHA512
a6b2862f235c0d1b34f3dd94a39dd0db75c2ee110018906e00ebdc5dff57b4c9a9c1a778c3f7a77f3f7e81492ae308ac52770b345391352d4f7d4033df5ffe4e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe

Filesize
1.2MB

MD5
6cf17a5d3e8bf2b7d3c6e53d58c85ac3

SHA1
32e8e26b7e47be97b1dc806fb034861635118a23

SHA256
565cc945d5fd2036d8d56616a4149a098a756cfc13e70502153d927b19be6e43

SHA512
49312cdea9e9649f8ffa4510e1439450e10086e7a90af5880d6d5b6b7ba88dffc5ccd4d0751de1fdca51104004ee769a8dc5a2ebe148cedec4476f5680f69461

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe

Filesize
1.5MB

MD5
5bdcc9b43271ec4a66793b0fad34535e

SHA1
4092006b5ca6e3700235b7e5231b5116758afe5b

SHA256
9a439bdf6377d4c7f1eefda8e76d2c820da6a0797c7527f4c583acc8059f6311

SHA512
44f0be2d65a9cc1cd663152af148afa2b3ab302cdc6202d1a809422db2accac048472e7ad5eaed9b060ff4debaffe116888294f0c044e0cbf6c02a8b1257968f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe

Filesize
1.2MB

MD5
e36c0518a6034936559639f56c17e408

SHA1
91229e1bc4aadacb82c7056e8a5324d4427b7f25

SHA256
105077cc4c475f8db069cd7b1b794e072e6fe736db619eca23376f2f60fa3f8c

SHA512
10ea57792e5160a1b84912a0868e7ee8455983ea511f1c17027fbd879e3c65a19288d98a5aca4211e87fad833ef28127c0c0ad293bddbd949d23b88b914c629d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe

Filesize
1.2MB

MD5
60c5690f63b84e84507bceb63f4df4e6

SHA1
c7cf5aee20834c76524629e9213cea3bebc3fe8c

SHA256
428db9805b9bf76076186c4a3cb89595f24680d3ebcd19a9244dd58ca5d07920

SHA512
6de243f104389c77602c8d1cdabbbeb402ab1bec04c44938e9828d7b69e94aeee8da7e5b3411b737e492062baa7406819176c3a9b542aec530fb150897222c57

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe

Filesize
1.4MB

MD5
f6fda498c8c439b57e8173fb525f21b1

SHA1
8cb8a882965cfa7c97aff5a648af974ce0a0f47d

SHA256
c7859145a434392c70d772baa2aae42162636b08ae713dab48cdeee6923dd5be

SHA512
181451711b7483d0838149010942f43339d0c32d72f215ad5dcf2b2ceba8351d4132eaebaf2c2128bf74c1119949a26fc8651fd6e34d90dedb8dc7bfb7132481

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe

Filesize
1.2MB

MD5
beb68a465020203601fcce407f614ab2

SHA1
932908b42340569abf8984878badf6757f266e44

SHA256
5d5dd1fc5d5c18e0bc1695ff37348be939bacd181af1763995a00f14525f7951

SHA512
4498b634a7318c0c70fd0b4f67663b26e21d776b79a5eeb61a1b1047f5718b211743d3ec0ee5f26b0cac2bf633dd2d0aacf75210a084e259c6649cde47e42c0d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe

Filesize
1.2MB

MD5
4f7ed0fea9752449f962aae836faf918

SHA1
f4dd6dd6d1297ec480b1a1af182415de0ff584b4

SHA256
4f2ec6a77dad6529e3046d7606e54bd4ea9842ec87473e689f2b8ee077933de3

SHA512
65d8b9d3ff3d9b6ce375fd323e632e3cdb1df0537ba0215994669e56d9fdce2b78031f541058fb02b666c83dd8672ede2d7a9185a680ada77cef0bc22ced3a38

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe

Filesize
1.2MB

MD5
4d7545a82140e5a2580b551c2fc45927

SHA1
f3a510db616e3b04cbd3f168097e815e65076729

SHA256
ed4ae78ec5c6004647b07e0ee203faa0b7cc5f470bd07fa8e51c25b125b189f9

SHA512
e06f4c41bf608980422cc5c30f3f67d88ad3b49019ab70a05f32fa95aa63e14aaf9aa1a49543e1e76183c24e3d659cdd59fc808ec37a95fac22c26e25d426a9e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe

Filesize
1.2MB

MD5
d125663140049618fa12376343119f52

SHA1
b2c7403343a5773001403a0aa3ba020ccc50be89

SHA256
ca63a2f99098da04362ebb3f27a0123106fc56c8e2c23ec1a5fd11323e67d786

SHA512
dd03b737a0b0b07f1b56ca7fd2dbf1957eb9cebdee3375c0730d7f13d1e23f179739beca76e0273484cd57ae3ea16aa204a37d278719fb95f1bbf2b3b87e2d10

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe

Filesize
1.2MB

MD5
263ffe548390c76afb0c511bf9daff10

SHA1
f49b5494df6c695b37bb11809e5573993df6cc1d

SHA256
7ff6ae3295143eafd501435bb1f4af53235dc3a71d0bf459ec45030e0554395c

SHA512
8ce787cfdaa09fb1c7b17723da5fe82e8c1fd0924d5601f2c9953457b0c7e5bd790f90244520a25973c058ad65fe09081c9ba882a8d97df882d1c147a9653786

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe

Filesize
1.4MB

MD5
006fc588da7e8213bbfee2b7b2d422bc

SHA1
51eb14be41c64814f7a1bff40f33947db856f2f8

SHA256
5211541379ded50db69b0b8f46785138c9ac73e11e2dc28e2de1e2de9c395115

SHA512
5115a7ccc6d7dfc39cac38779672d14332809717bf471bc8ce0a09fd6a797aae6d7041571943a5c57d86cbf5c7d8d0a1ee11d4871aa73bb99af7d0f2d0c59930

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe

Filesize
1.3MB

MD5
a1c8ef77bb9914b50fe2150d25d48e9e

SHA1
12efbb10fc452e9abcd05bcd3172eaf1e2a8d5f7

SHA256
40edcd19631642d881db570d894d4ce8cee0af8c6ada8d016ca92d7c187a4a6f

SHA512
7e3d823eb8fe9ae645b7128d9cf481dea10cd369a9ad78c362573222db28ed0dcd41a7d2befb067db76114e31fee39e5964d61d4486fd048fa51e5844e693e21

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe

Filesize
1.3MB

MD5
e142f13cba233b9df8e0c7e8105245f6

SHA1
85d989944885187076ff5d5fcd7073e2d0420834

SHA256
5e6b0e384d705fe15caecf22b1105ad6a6ba4a75af216b7bbb00fe4022f2948b

SHA512
0c3e61e8bc39359af51d96366d74453dbe083e306fc124f0e57fd133944b927a7bedcf0f6e3faab957c65e36f540c8ad78a5ba052ef42b63875385a294c417a4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe

Filesize
1.5MB

MD5
e99a3ee2d837c8032f57f0e3d24935bc

SHA1
098ad5674f8ac6a08e7c67ce9e0e5cf53d64aa83

SHA256
5b7f0f27a24343484853c67ab511839ba5d4b68e8acaaef8d53bcb2e23fb65b7

SHA512
d052318b7f16b8191fff0ca1b4b591e2ef3173e6faf548b023832dba07742b49b3a7454f5615ae647579bd1a1865333b75ce14547321ad769b75f62b8b70dce1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe

Filesize
1.2MB

MD5
13c33655cd6a80a81543c25cbcb90e1c

SHA1
c28f3617eb1e34f07b4867d7fcaafa226d5e29fd

SHA256
2753c78ac696c120953c463c2d53ddfa483da8e205a1a8bd8476eff21488716e

SHA512
8ee68461ccbe7a2530e5331c41abec251bb3b9f0da5768216917258b2a1136a46b27a8ac33d879aaf373b0c01c4a02ac23db8f01c791c13beeaa1b6f5643434a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe

Filesize
1.2MB

MD5
47c05ffc59439d9b554eeee319e9d4a5

SHA1
e3903ee418a02f8b94f1710cbe611aaada1ecdb4

SHA256
f338dcf74972bb9731815b907d3b260f7fbf0e711351fda33e3d6770b33a6bfd

SHA512
21f9c1c3021d1605a6550f87a3c03ba7f8e7ff5623cab7990778daa11438560be9463f3ad35c58af6e6f50c61cf47154744ce222dcf9ea3a0dffe9a5e11fa81a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe

Filesize
1.2MB

MD5
e84b7b012a3f01b4e75d14d3b1a98d38

SHA1
178facd2a540a30a1c7d130c8c89e8956b12d603

SHA256
cd3c4ddab8c5f88452bf6f1c713d6bbb91acf01092fbfde7826d07be5797ea67

SHA512
25d32b9be58c599327dae704a14a90757778d27920cb8a0fc3646ff5c60e9d8fef3771061c59a787e2614b7e04cfa45c836b2396f0734468490e56fe7c5e4beb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe

Filesize
1.2MB

MD5
985af3f4653455b4868e2ec97370e1e9

SHA1
3a2ba639900b2a2d978ace5e4226a9ff44df7faf

SHA256
764b191b9abff7b814926cd9d489e324dfc76a25a821727eceac1f3cd1b412ed

SHA512
fb241315e9adb8703997e72bbb75ba76bb1c8bfde1b772d9651f96a7b06a8b2f2d91adf9c85e6d3b24b7d3bc8cc71ddb1b88cf317161121ea92ea3e41bab4eba

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe

Filesize
1.3MB

MD5
a13b297647fda63eff8e9f8d03c0d21e

SHA1
586cb552a2e874a6e73befc3ffba47270992c339

SHA256
30939c4e02e4818a82f23c5ff415afb9a3229eaa5be3215d1e721acc97a57515

SHA512
acaefbd0c59ae6733e40628855bbc2907219574e24471e49ab97d6bc58d3e5291e48583fb0c84838f3fa3de32bbab88bfd1059f6716d14d03b451114d39e1a60

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
baf6984817bc4b97587b9a283788522f

SHA1
7111778342abfd557a3bfa50fa47aa748b5e79a6

SHA256
3ecd101c4e621dc4cb2adfbb66a51e109fa2a96cba1a3b07627676a365f78a2e

SHA512
1fd69dd7dc8477e1232a3e01a45e02e5d8814a19de5079315f04398547aa71fc033adf70abc9c98335e94848901eb75e1b15ca17dcb5a3e3ac9f4496dbe5ddb3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
229708bd3f6a77b8a7d7e09b7b428e8b

SHA1
7308db6481ce496964cb2e2b312d79df838f53b4

SHA256
a3972f07aa67efeb52b978b7b4ef2651f98246176fc95613cc6acd57616857e5

SHA512
efe6e09b10d6c91e65b768dc6dbb6b1e3f0f5f4cc7edd289ca233b35263999320f03a34fb083ff68ef2e0b2f118502739fcaa936d1b5ecc45fba4399ee19f1df

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
76524245b719c347ab3b4ebfe1bc0ed6

SHA1
3ba37060a14e9a54029f74c7e077683835ee943a

SHA256
19b1436feec61865ab20fabbee12afe19ec9a174dfd4a6b2988c066bc89cd7fe

SHA512
237217d8d60b1a7757e71f797b2142b2072b100faef1bef940a606e01d978358d320feeee6744880fa559c116a929e4d5869b697a4b2252fc885e8ff4d699cf5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b21d3d3e7e015e235639b6a7893bceb2

SHA1
12f299f3f4bcd9ec4c1126ec1083a78a28cb4be2

SHA256
f6e223502af83772c070357d0c8c4360bf830df518dd56879bee835884c40121

SHA512
7c2ec2889dba9822c2ff5374f6ec23f42e4878a9b10193699d37c93cdd934588235678947162f95ad6ae361b255ea60622c7dd13f21a30260061c4763903ab65

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a6ca1051dc8a2d5d27e201f32bccdaaa

SHA1
bbed380915629251219e90ab126edf60110df7ba

SHA256
3a4d9d8a3996891846dba59883fc54b822d9ce6bd9f97fc702bd278dc278c734

SHA512
e96e2337eab3d6c2a7a7e9eb2893cf34ec613bbc37c1bba8da709d23e95b1c7a7fe140d760e94ad8f30f7de4f486ec9d427919d8214d64eec53bec16d1fcf844

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a6ca1051dc8a2d5d27e201f32bccdaaa

SHA1
bbed380915629251219e90ab126edf60110df7ba

SHA256
3a4d9d8a3996891846dba59883fc54b822d9ce6bd9f97fc702bd278dc278c734

SHA512
e96e2337eab3d6c2a7a7e9eb2893cf34ec613bbc37c1bba8da709d23e95b1c7a7fe140d760e94ad8f30f7de4f486ec9d427919d8214d64eec53bec16d1fcf844

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a1ec8d3c5ef9cd29b952547bbceb9d01

SHA1
1d97bb629ad27ed1a891dedb64dd308cde53de6c

SHA256
824fb248ced2f45c58c1281089f5c2d98dd316e5b8100d808505185052967f25

SHA512
2a0a9d82ca80ec3af796bba45b131cf082d3a679742e1e7095f943fb6c3a663a937affd41e55d73f3c7a40e7b6de5502565431e13170cebb65cbf5905045778d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
91bf9144564482aea19e7caebd56ad64

SHA1
f47a78d79ebbc6e0312b4609797e821169837eb0

SHA256
b5fcedc505bf6840330168303c4183f6015fed0c8dd00d0a3c671e5494b2dbd7

SHA512
6162395b41221f0c7b76b6ced353954dac88079d45d5bd74e2233bdd563c7fb9eba001486ba66de153f80e93d0c63cb98f09da8d89875ea4e433f324228b0ba7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b8354e1bef0a36aa6bcbb6fa2e803889

SHA1
c91bcac4165e7d14a9a52506792776285d400b58

SHA256
996cada607a9fff90b8b4adaefee3d860e7eb40de8bbe01104be4cad6c19d1da

SHA512
7790d62fff73f872c74fa69d4e67773dbcdcffb625f078ead7201600d69864e3e4777e2c054e93614207d320440a2eea0969e4c078223e7106e93e4c8d116f9c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7bf3205483633b82cc361f95f407ea79

SHA1
b139efea07b7be0755b60f888dcc2acdf40bb842

SHA256
aac633445abbd1aeac57f953895f3340b4e582161252f0f4ac735046c4fd532d

SHA512
ae021749f4747dccaa70b91015bd0eabc5668efc7a251f607552c547747cb3e11521b62da7d382a7a4c491f6f6b8b1fb9f1b5f33446abc51317fa6f0acb6b4d9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9c4f298b957a87173e5f162eccf626aa

SHA1
1daa4210d91cc4c578c645b1d31bdc1a43f55d86

SHA256
ffcdad2a43c9d413cb2cbe2ebb34f800726b24bd05e07edcd205db2129631987

SHA512
18c5c535af63cab543955c5cab0819c34450bb11405f6dc240d7bc9720c4863f8a7829253895a56a5000c65e4be19f5075337e7dddf851e41099f0a26e1c6bf5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50505cb6cdd5a5e82ef034fe39436085

SHA1
f11082e337581dacd7237d566c74eda41e07f781

SHA256
0074cf46502fc5e1edddb045beb161904d24187d24edaac6e5cc28d982fd12b7

SHA512
c3280b4086e082a2ad42469725b2c10a54b4b16ef4a7bf34167d537b9ca344274a08b7349e5a06a783a88398a2f7a525ff8906b2a9703799a893abb0be10d118

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2bf08a2fef080e64371e38e538a5f38d

SHA1
a28c3b1af50dfe72627e4a1c20c26eb245b6606c

SHA256
2114424f1222f064f37f0d07c9f4a055279ac3961e9e22a1e012b515de666188

SHA512
89dde55784fb24e7d93ef5464c2ea9a2f25d32bb272480f84512c0ca85d565b7e7c88bbc8f29d58b32c02f08f0a4f5a34a7c123bf5cf74ef06c2432cfff67d73

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fd69e91b9fb0441cb47e1167ceabc817

SHA1
32a33942aed90fd1e99b251687b58bb96c0ef042

SHA256
b468ea8b2912714640f375e6d5e4edc14616d0022c2c69cab1a2ea316c9662ec

SHA512
2f92d8fc6cf905aac31bbc262d4a6d41c11c54ccdcf4c719b7c03c4a8f2d653f4d15731c4645d449bfeafdc56d89456344e6235f7868a5eb85fbee36e88e92a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d025f7cba083aed11d82baa1ba55fd79

SHA1
a3b894787b90e1510afc8576bccbc7dbd743e0b8

SHA256
8b4bc6b54930e355336227d4de5536d753eeca126108ca91aa5ab102c2e93b8f

SHA512
403ee774906d8314c8c0d24123667679d92ba45c65d095b29aa9aa010c747785f2a7a84335a68f01a51f4afa4fd3ef54547449a60566e27bf30ee8d9e874b8f4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
74630af91c3d98270cc828f84a226a33

SHA1
5db8a18a3d14e73194bfc42b6a9a0e0a97e95aec

SHA256
f5664442fe7863997a8d76100fc5de4dcb269c43489a1d6e496f704f10e65661

SHA512
6ba31312121ea9638968a944d47ccf8170cb73d6c630b1d29b2bcbbb526e4aa11213924118c3024bf5b732946503fa18470d949e88bb8a688b502b1a8f58df68

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
76524245b719c347ab3b4ebfe1bc0ed6

SHA1
3ba37060a14e9a54029f74c7e077683835ee943a

SHA256
19b1436feec61865ab20fabbee12afe19ec9a174dfd4a6b2988c066bc89cd7fe

SHA512
237217d8d60b1a7757e71f797b2142b2072b100faef1bef940a606e01d978358d320feeee6744880fa559c116a929e4d5869b697a4b2252fc885e8ff4d699cf5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
2656f6afb9f156e8f0dbc8f1dbf34fa4

SHA1
a8333fc2244a17527fe4a408ceeb4d41c36574d2

SHA256
779379e3156e9fd56b5a5f2d2880146b350543503bba42ef756e13a7bfddac14

SHA512
d381506ffbd9fc0717c68ae401da9ba0fcd56ae198f95e0792598da4a072481ace883b26d0fa4739865bf5ad4c5beb8a65916cf636e3c3ff3bc2d7dfc976b148

Download Submit
memory/636-529-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/636-378-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/672-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/760-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/836-528-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/836-358-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/864-503-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/864-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-629-0x00000254E7DB0000-0x00000254E7DB1000-memory.dmp

Filesize
4KB

Download
memory/1420-581-0x00000254E7EE0000-0x00000254E80CB000-memory.dmp

Filesize
1.9MB

Download
memory/1420-560-0x00000254E7EE0000-0x00000254E7EF0000-memory.dmp

Filesize
64KB

Download
memory/1420-558-0x00000254E7DA0000-0x00000254E7DB0000-memory.dmp

Filesize
64KB

Download
memory/1420-559-0x00000254E7DB0000-0x00000254E7DB1000-memory.dmp

Filesize
4KB

Download
memory/1972-333-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1972-526-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2004-396-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2004-540-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2068-527-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2068-216-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/2068-217-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2068-223-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/2068-226-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/2068-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2068-354-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2204-256-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2312-376-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2312-156-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2312-161-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2312-164-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/2624-170-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2624-176-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2624-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2696-259-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2696-513-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2844-479-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2844-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2844-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2844-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3428-149-0x0000000002BC0000-0x0000000002C26000-memory.dmp

Filesize
408KB

Download
memory/3428-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3428-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3428-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3428-144-0x0000000002BC0000-0x0000000002C26000-memory.dmp

Filesize
408KB

Download
memory/3824-349-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3824-335-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3828-439-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3828-201-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3828-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3828-191-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4100-181-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4100-437-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4100-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4100-192-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4100-187-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4220-315-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4220-521-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4432-409-0x0000000000590000-0x00000000005F6000-memory.dmp

Filesize
408KB

Download
memory/4652-381-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4652-530-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4788-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4788-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4940-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4980-139-0x0000000007770000-0x000000000780C000-memory.dmp

Filesize
624KB

Download
memory/4980-133-0x0000000000A00000-0x0000000000B7C000-memory.dmp

Filesize
1.5MB

Download
memory/4980-134-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/4980-138-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4980-137-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4980-136-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/4980-135-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/5048-495-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5048-231-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5048-237-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download