blustealer | af2ff9bc5e9582e3301aea8cae68cb9fdea3e56b75dd57853c156c15757462d7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Size

1.5MB
MD5

581f51fd35e943a69a4c569fa8654736
SHA1

610e7579a996ea788ccb688a9dda9d4855a40a2d
SHA256

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043
SHA512

8bb8ce0f096c5a08e2457c7039f0169ae312f850e8189e240176e7a4ccf4ba113efe9f3a19e4e282ff66b60e48b0e07127270da804e0192f5ef091f7ea9e03db
SSDEEP

24576:Xbj8B+M73OglQfGmzu7SulbydbwcLxTDkU9tMMkB5lO2dMqtX1uP:XX++tglKKPwbwcLh4otmB7ldMg1C

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1852	alg.exe
764	DiagnosticsHub.StandardCollector.Service.exe
3160	fxssvc.exe
1676	elevation_service.exe
5024	elevation_service.exe
2800	maintenanceservice.exe
4236	msdtc.exe
1680	OSE.EXE
1448	PerceptionSimulationService.exe
2020	perfhost.exe
3820	locator.exe
4856	SensorDataService.exe
4324	snmptrap.exe
2032	spectrum.exe
1328	ssh-agent.exe
4512	TieringEngineService.exe
2984	AgentService.exe
4644	vds.exe
4316	vssvc.exe
2396	wbengine.exe
1044	WmiApSrv.exe
1296	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\msdtc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\locator.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\AgentService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\spectrum.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\vds.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\vssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\wbengine.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8ee56276c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 4960 set thread context of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fae550a717dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c886130c717dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f202209717dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043456709717dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9adce08717dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e6eb12717dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002106aa09717dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e96f1413717dd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c520e408717dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	297	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeAuditPrivilege	3160	fxssvc.exe
Token: SeRestorePrivilege	4512	TieringEngineService.exe
Token: SeManageVolumePrivilege	4512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2984	AgentService.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: SeBackupPrivilege	2396	wbengine.exe
Token: SeRestorePrivilege	2396	wbengine.exe
Token: SeSecurityPrivilege	2396	wbengine.exe
Token: 33	1296	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1296	SearchIndexer.exe
Token: SeDebugPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeDebugPrivilege	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 1448 wrote to memory of 4960	1448	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	93
PID 4960 wrote to memory of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99
PID 4960 wrote to memory of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99
PID 4960 wrote to memory of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99
PID 4960 wrote to memory of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99
PID 4960 wrote to memory of 2876	4960	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	99
PID 1296 wrote to memory of 3880	1296	SearchIndexer.exe	121
PID 1296 wrote to memory of 3880	1296	SearchIndexer.exe	121
PID 1296 wrote to memory of 3020	1296	SearchIndexer.exe	122
PID 1296 wrote to memory of 3020	1296	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
"C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
  "C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2876

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4296

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1816

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb809a98faef10cc1aa46169bf869b14

SHA1
1f12e7553a46af9d71dde99be44666db3d1b879a

SHA256
5d8a41c70928223cd3d69150a841a0fcd44a6225aaaa16dc9e7cf5a16719341d

SHA512
81434eca8c286a4014dfcff9d4509f7a651ca2ae6cafa8a3f8cf0a6632220848dd4d7429a67f320e52d3223bec5f8c2512c32f9032c9fbe6815178aaf6f0d153

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
91242e0346cb081215637fd4f1a8d395

SHA1
bfca48b506fc536ac0e84346dc74419b177f8b02

SHA256
5837239d631d481ba0057af135ffc071cf457bd3e87cac6186f44613f40e63d4

SHA512
e60195ccd26b8979d501e472acbefc7558865295e96d425289df3323b3c37ec7336edbb0a0a01a6eec9512ddacb0b95c5560ec3e9003ed3eb0db4f81bd1d423e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
91242e0346cb081215637fd4f1a8d395

SHA1
bfca48b506fc536ac0e84346dc74419b177f8b02

SHA256
5837239d631d481ba0057af135ffc071cf457bd3e87cac6186f44613f40e63d4

SHA512
e60195ccd26b8979d501e472acbefc7558865295e96d425289df3323b3c37ec7336edbb0a0a01a6eec9512ddacb0b95c5560ec3e9003ed3eb0db4f81bd1d423e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b530c147c89144924120d43b5650e50a

SHA1
4f41ef4a031d1445b3b09036f005615a9d51161d

SHA256
ca987187d4248ffb51a497c75e18ec5db56c6aa644380ac4d9c3bd7ea7432d0f

SHA512
73583eb131d0a01da231630a3d0b65a5c17b71345d1cfab65ab73a4926fc6f1e2b6e1cd967ca67ad3cc937f0f6952e2ea652a198a4cfb733e7892b256d36ebc4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
94b347af47df60e62cac5235c3fea011

SHA1
ea44accde597a39e21cfc538b417ce3091a69a38

SHA256
d6770d2b346e7f8f1ad46ff471b96494605372ddee26bcd70f954205a4e452ee

SHA512
30c90b1a7241d0b7e417f6ff1f48943a911a7d4570d7916102b7797285a816924799d92a2ee7fd15667a7125f12d07248be154a9957b25b53ad98d6938878568

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
810700cbde5f88e45024957b2e9dc8c1

SHA1
025fb14c2ab0512b3cba25d5c35a312461889fac

SHA256
704e3a67287afefc0268cc2e2007eabebb57b99ad103c07143ee42b6b1b6b069

SHA512
853d2883509da63f1de551e58963fb3f749e1fcd4377a56572142e9a3033c0e1053923edc48f99a4e968ed41e433a38cfd3f91a63d044a5c9215b4c069668e3d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0d04beae882170da3df1d2b05a99a346

SHA1
00c82c9830080023e55b03cb0b449323cf4f8cac

SHA256
4e8ec2bd53aabe5864ca9d57288533a63c34f61d76219dfde084105d699b6132

SHA512
4fcd4c7388b89aca6e34752d385101020c204335e825572954d93ccba1e3ff4344e492ae70f67341ed9f59e39f176dcf3b6696a0c95b123fb299686ef65c33ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
eacd4f08920f1835c5d28bc247c32367

SHA1
6bdf9260025e63d00d85f605fc2a6ee59798dbd1

SHA256
67321eda3dabb90941dea97f6536589419e48040e34e9f5193af2bccf493af7a

SHA512
c50aafeb815f939aab0f3b28eef623fa23d0536cdc2bf72cc4ff1677493e599c7ce2ef4412ff4e40170ed3629b7e98f08ec4b45fc3b381467939e3da39cb4899

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.9MB

MD5
e5b9f7d861a627e2cf70060a6f0335a8

SHA1
64889cdcc8e986237ff5f527cf275984bf46ceeb

SHA256
79ac5805fade5d37b7052e6dacbe1b078f7b8756522118a13d4351e2cbe35434

SHA512
7cd44528e46f297698946f6f8813bf2ef659e3a56668da6afb374f1e5e84864f702499400ab8b46c84459e9da2f95230e593b5679a2a510e16e71fb70bfe9b66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
782136fd71b1de145883ad62a5931fc5

SHA1
aa4f02f0e20b08a946f1a2008fe812678709d993

SHA256
e907a5fc37e4baef7d243a3fa3aff8dedc54133e913391d19b81dd967e345f3d

SHA512
edda8c0278f196d5992f1c82cb4cd972bc78ddeb4ce82fee5062710cec020619c5309c55e539542084bc32a3a51d99d8c7e936fc583b31f96551762fdb16d90a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
31b343bcae2002e5de05e5b8ff0d8a78

SHA1
4b91d33df3e31533e9c9b63c52dadcd110cd4c82

SHA256
03e46bd0e7f4e3259576766ba866862eab3cc388eaf481cd583c2f2120785933

SHA512
2840a52c4fc1a4063647e8ee15eb4c994437fecd0a9fc0c36c0a709189876dc71714355b15640fdbaec1606e3e3787662ad29054c571a5e3989b9c92ead329ad

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6f765ecdc3045dc042fab28b2fd45b43

SHA1
02e666ddb24f823a220f1149e97970452eb1857f

SHA256
6ba9d3caf77f84f7deb32a01c215449201989f24285430fcefa498071daacc4c

SHA512
088f44efd474ccab05ce9cf6bf0a6bd749697c71943773bab2ebf9e7de8168dc30f4c0611a4c841398529e6f7fb0fea68373e92b402a30ab39c3f7547ff33c4b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9895fb14e5bf36e13382782f26b329b8

SHA1
c407ce24ce03b18c910fdc583ff5eaa98ed0c525

SHA256
7a9020f49c68d6e78eaadb7ab59eb135ce124652c433ef1778824eea64a3e91c

SHA512
db6bedb33e6218571db338b59bc4aa79d139b910bf1e4718e3ca9e0c036c4204ef519ea6e22a092e9718073fdeaac8e61e88a5f79bec55b73cb2fd23fc2cacdb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1024KB

MD5
a8d8db077f39d178d92d16e2fefaff99

SHA1
477b8f3759fb6d45da562a6a4698a1cbe96f67bf

SHA256
d33166b13ef0fd53fc4ddbaf190d32ce7528063e6389d8751a4eb7ccacfe4947

SHA512
1b4023fe99e9b31ff5a0ac9008bf3919d24046633eba9c123a6853c4754e6bc207b8f0f2555817904e42f86a87b7d33467f3fc17d1ffd1215ee1fbe9354b6f6e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1024KB

MD5
fe125fff9ace5302061128b29dd7962e

SHA1
491f30f61e41f3139e4dbb7dde84843750965662

SHA256
5451d1d4a18096d8b35db8483bf93deb3ca7e050174bf40c42db5014592026d9

SHA512
aef56e9098861881ab2e8fa46314db9a18e147d29f65ac421af9e5ace0643dabedf5f32ecc13b208220bb2d52b0b821a3a08285a588e4b84f66924b7f6e21a3f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1024KB

MD5
82d1cd0f4f9ebc36d8817625c55d2bf7

SHA1
4e917034ae1e57078f2896718ecbef1c16a5cbdd

SHA256
2b7e61aaddf5abb109bea7fbe725f5f1b43aa9e8ce5c9c8d10e421ec5550d740

SHA512
2cb3d4cbe5afc124be005440f82e4c947eaca667501ee4be17dc9772c06da47f983a8263f250ca9838d17eb2021edca5d3f3a43cf350e2b4aa24e2fc3164f6fe

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1024KB

MD5
d067dcfc36309786b22241d5191f3c29

SHA1
a188fd3717dc3fcb196c8fdfb3e521408f504b31

SHA256
bc9e90c1d1f5c34afb65ea7e118a1a20110f5181f1cca73fd0588a2db7f62ca9

SHA512
d932f9b69a778a3595b48bd6633bab674784ec4af2211768331cead5039ab18289cd2625556856ea70da8115ed905a0ff32ed67fd25c4f94b07ca700bf4484cc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1024KB

MD5
c5ff3a67d63d846fcc3c171288127afe

SHA1
2c1fc6ee03f5e657636b17f79b78a9b125d02aab

SHA256
5f4c04c6ea87829c47064d660b07ff0cb2255edb53238036f6521abfff0949a1

SHA512
f499d47d569ae582766a41891538971acf2537d06ef40f9d1475d39ef3213632255eef6de2c82516f840bf412abaf40c722b831c5394d0205dd28562f47ec58c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1024KB

MD5
3706a3bd620dee977a90511ae0b92b56

SHA1
aee4c94a9e09a540fdfa564c8ded9f9f646cf965

SHA256
ed59cbe7fc0d6938615a331d906a13ea56bd16dd825fecb27a668df438bf7989

SHA512
50d5f41dd303c9d16657942a9f657e5e1ae35e7abbcf8358d8af1c8288186186f01fd289a5b8b30158ea07f6156c135eeb87d4445938126ea74b5269f9b400cc

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1024KB

MD5
431be969dfe17df3dbb7104da705afdb

SHA1
77f1c95e58cf25e0b94ecc9869de16570035939f

SHA256
0b6fb4a65e65bd9ad19e0989f11a0a2e53187631c586d300cb9e4c17d3f7cda4

SHA512
19a397fd8e19ad335d8d0c781f90984373958fe35b46fb2e1a9ddee1891b10ce1185230aff228fae5a62dbe589dd62f6cb6733b034139373b50a9de85a8b3f26

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1024KB

MD5
52ac53ca0dbf1c40f1c4105dea83301e

SHA1
270fcbc988631743aa8b46dd2f0408baaf7be129

SHA256
13a5735c285adb80ef44eee45d5653997514a8338bafb603ef6d70c45fc28898

SHA512
820120676d7ee9775d8a38b6b4b403d63f7431ee3be9dc09016dad7d8d93646da5f7aa1899a28d0ed9cf18ea5cca21daf9f1bbc1cb02f3c756363cb447fb9fee

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1024KB

MD5
e42d10937f02214b66ce3a0ee1263557

SHA1
94de2966d665a6efe0799244f7d641553addcf07

SHA256
fada2c4957df35712f45c71f9c20b8cf6b5eb1d18b2f1d0c830dc8193bb90da4

SHA512
bc2aa34e4d2e0fc56f5ad577df5148d2727ec4989935df373f7ab6976e9f1098b9261271740f8f4a5e6fd8d06c7f247ce0f11ef1c26beb25505b60f11b466eed

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1024KB

MD5
e4455e9d7d029cadd6e9fdfc77dd33f6

SHA1
425320dfa3bad9b7b3eb1f8789f3c30490176d73

SHA256
88c9638219cc3244a1cb25d4b5b0a8d8d2060f10b8a24b00baa27576b3b387d0

SHA512
c11e8ef3a0046182491e19497d5484d8ae7c0414fc66cfa6fecf2c42fec2326780e76fd310aaf7a617ca37b80567613c008551c8782bd0cc62c9d42336006e15

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1024KB

MD5
9470d55cd77e8abe34fd25d8449628e1

SHA1
dd01183567fc8b815e92ba7f215924fa1c5f4dc2

SHA256
8b0b3659646c3eff8f8ff925029900bb4e9c8b7bdc9763651a36d5bf82d015a3

SHA512
d1d61afef7a667d8ac58c1130a5928fc16340514c8770571ae3baea875f3995e6121b738d9e301263055558623ace9ccd48e1a5b48555013c9f92450fed664c1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1024KB

MD5
2d8cf91910e7bd7a83331a9d821c692d

SHA1
20c8deb32bea1c63b44d6c16a1149d2ec067a1b5

SHA256
4ed1c2a32da6f63aea4ad62bd25ab87ea805d84dccd6aed801a9a06e7225bdad

SHA512
05b847e205e191bce9ba83b4cae32778628928523e6300474f197fd08226b0b5ad7ecfeb70edce047212ad438c057611565e49f2a25b8aa5190c07c8aa74a016

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1024KB

MD5
638ff959b80d8d302709701c94e8f3d8

SHA1
4149d6e707a0cba7533714c49e9266628c63807f

SHA256
0ccaebf3829ad165e67582cc27b20edecc36e47b20c190243bb960f58536f267

SHA512
8ab7d187daf4c9bdc37bd24b4a8bd013b60e6a655b6db39b67828b04db0b9fe1712fee873b47db76deaeed286036ac550719e2690366a51f50b074fbd918c76e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1024KB

MD5
ceca3601674f274515750cdaa97d7624

SHA1
b1eb6e8296b9b71582329d6bfa20f66e7bf827bb

SHA256
7a51ea6c7d259743eab9c4dcc504afe89ddd4ebb87af1b7d282f791c53fd6f48

SHA512
550ce9dd87246e640e8c5aadac26299843fff8a138b4148b523eee6982e6d3831125abe8a19889bd72f351fb378d051b95340595387bc5b14de21b519f403157

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1024KB

MD5
41ce23b24b1989716091e8f153328560

SHA1
61879d189b99d35bbf805372432d747c9b476deb

SHA256
b543642027f63b1d73ed731be3e8cf6dd6113b72490b91e06364eb794a742065

SHA512
00a5e9194d419f84fa7132d4e19cab7cd478b98056a0c7e9ea5e061967c8aae43e1307f2b942c921312ac733cd9ea4b033282aa7c2b4871aee806e95d2758852

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1024KB

MD5
454d231d22bd7a9a79923aa14a562ece

SHA1
b1dfc6d9be441862cbdecdc5ba9d966e7012793f

SHA256
b08774a053874d3fa6cc1d3f8b973f4addbf241312e6131d8f30295ae6da55ed

SHA512
b8a37c2f2c665b989596c209a31ec72b15efda14a94760f03ffc64a098fe14e1428969e90d04cf72bd9d28a073bb531d6d3572f61bb82c157cc7e3812c062c06

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1024KB

MD5
11db0f1198c4cd5113b60ae65bddcb5c

SHA1
c59ee228c65e1efa496856011b2174a56b75f746

SHA256
0b94fbcdd73b8a0bfd9781251371faae48fb85bf3bb964a62eb1865ca38cd21f

SHA512
47abc17c7ede0dfe0964a12e91c7c41063c2cef44118889c9bf465347d414b4417f295823cdf0ebf13a337032ca07fa51259ad778c0e7c2919b84c2c163e3a08

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1024KB

MD5
b08ede779ec992ae625bd6da719979c7

SHA1
e028d433014ab260d8b1265529ec49d898ecf8fa

SHA256
6d5e019136384b9235703c8bb30260cc349a663925f5c1c9d75c9bab635a8aea

SHA512
ff85bc73e9aa2b3ef16ebe044c18457c9096b2139b980d54c994dea8bb8822c405a06d79a492cc32ff657ceb66e316bf426711578561ebdd7835bd0def2cfac3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8ac85d7e65a0b394ce54e91a09a6392

SHA1
861db45c7cc99a14735c01c76f9f7fcc1a956287

SHA256
15866bb318b2bcb6a2ca67409eb47a26ab20b839de3a2be6c5b0e0cd6eb20f0b

SHA512
9b3423f5ecd0396faf158475ba21db64ade88d5fb8cc52ff6d50e1ff0eab9a246f5733305c078c0a858e55050a432779ac27096516e8c416b773aab135874a2b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bb7daecdcf3f5429b7b135b23e0929bd

SHA1
5a3354df62072abef49abd317f5e40c968ef6cb1

SHA256
8af672f8d0637e06d329044ac93b2be3f477b33e493c668b326d925bdbac0cb6

SHA512
41a3e224d765e312efdb5bddaf216181e39c4bdb06e16b234b6c91c3025bfd797779768d7d772664d7bd277c14cbdd715e58b736f29bc5f36921d32c22aac6f0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
97f0efa2f5686c9a9591f8edc09122e2

SHA1
41e3b5f988dd5fea226dfd904fc0218397980961

SHA256
30185c376ba3c2f500c0a6e723a3b757296e8e51722d29cf97fc20cb8e2c15d3

SHA512
49e4dc542e2cef4e02ab841f3e605f2bffa9e48e265715ed75083b60498aff9142f0d0acc88853ed1b3cf636cfe2d12338d5844de1d1aa4f00d203c7c57bd5f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9b197d776490ec2705a5aa265bd0ac25

SHA1
34ecd23bed3b1f66afca073b9e841ab068f5466e

SHA256
e162740ff035034bc4a32c7528d9e17f13f4d22ef69a1f3b8e61ac2233b83e91

SHA512
cc9c8d41c98c822c6bae56a5a32e6edd742b5cbf1d5fa3b280301fe3c893fdf6c1a8fdf5f2acf1830cefbe4f1751455a9b8a032984d2c1c9f6c1c6c89191eb7f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c6d47b0a912eb9936a80c8d0e04f4b89

SHA1
1dbc6a1682f21511969586b0bf2d8f4fb2657574

SHA256
1538e27510546afa498d78e6d324005123f21e415a773fbb6d78d88c7cc2856d

SHA512
a15f58ee7dd246e6f2727ded7ec23daf853dcd4aaffcddd22fca360e5434dff1f88e64d28c531cb4f93d1a5e7f974dd63446338d63315eed5e69a36b69d18cac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9e5a0870eb841d536bd668ce454dcd80

SHA1
daaaa261ef97f5684c677388efd25d511a725d29

SHA256
cf582e68b4213281abfeb5bc8ff4b82d0227c51ec78524894815655a0e94b31e

SHA512
075478eff91022e3965080f8d552ba57f292a46ec10667f4930b97b578ec3a7f23d9f647a0039e681c6cf1395d2ca1d6d986dfe99e8a88de214ae10b5bab94ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c219ea9be6d8b7cb9250ba4d1c0d9f08

SHA1
6d4f2f59afd56516a53c9f5c6ff2940d626a74a8

SHA256
9008fde2114250259e494d7d5247e9d764080c8828267ebdc63d0405909cccf1

SHA512
d197a074cd678453383f83eeffc2b75f1de62f4b9c0863eed07f3e1ab8941b6f0224a1ebbcd50a0541f4d3374ae67cfcf8d0604b4a18a7bae1e9f3ccf4a0c291

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c219ea9be6d8b7cb9250ba4d1c0d9f08

SHA1
6d4f2f59afd56516a53c9f5c6ff2940d626a74a8

SHA256
9008fde2114250259e494d7d5247e9d764080c8828267ebdc63d0405909cccf1

SHA512
d197a074cd678453383f83eeffc2b75f1de62f4b9c0863eed07f3e1ab8941b6f0224a1ebbcd50a0541f4d3374ae67cfcf8d0604b4a18a7bae1e9f3ccf4a0c291

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8a25c58e585b394c983fd0d23be1cd48

SHA1
4ba8b18cc4b14da135c7ad01275a3d4d5a5b01f2

SHA256
612f6c044786974fef8acb9f762c5c8ed21668d99244334a0a53ea79fc3bede1

SHA512
cafa29533c7f6828f74cea33f56f68277adea7f8839326b701c073267c4653f1b5d574be9b47fb64dc2aac40ce08b9379c35f95cfab4bffc01e29f25227a3e34

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1328d324cbebe6d84057739505840007

SHA1
8fa9f80268403986917d1429536205d44dce1cb1

SHA256
128f6db34e8a534eaaf0920565865fe2365cf1614b1fd7f404c988054b95e96a

SHA512
2ccf71fc4d1b577009a3b95cd604cf5f180da158f4faf7ca92a9ce479d6888e92cb8853f0e604df56724d00f0f76987c6e01e9f73727b81abc87c00b7bee6acb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
beec4bd0ccb7ec5779166144a3009fbc

SHA1
4ccac5c6d7129ce6f61362a6af744ef864cb4235

SHA256
39924fbd5a5255f51e4e59aad8222697771af1f104c7faa576ed55b91415cfb9

SHA512
91ea3dfc2ab1ad2251b343f40a3231b5476a5309353a712ecf4bb897bf09af01d19aa0c122106bf1eae79c751cb33c535e3e92253c0bd5993490316e27d5f747

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
beec4bd0ccb7ec5779166144a3009fbc

SHA1
4ccac5c6d7129ce6f61362a6af744ef864cb4235

SHA256
39924fbd5a5255f51e4e59aad8222697771af1f104c7faa576ed55b91415cfb9

SHA512
91ea3dfc2ab1ad2251b343f40a3231b5476a5309353a712ecf4bb897bf09af01d19aa0c122106bf1eae79c751cb33c535e3e92253c0bd5993490316e27d5f747

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b370b8b9b7276d457cbe42b961a579f6

SHA1
32a11608f9c92a958f8d66079ec5db66eaf89d28

SHA256
a39c54e90b3bf4250ce4f97cf2fb77ed24f374f94843f320dfced296dbf40315

SHA512
99ebf5f5560a8114adff6fc5bbd24c5fb4c2bbaa2361c3992f446b0d49e217dfc932da6879612d0efe6b048d2872bd3ef618336b3b5f86e02444db82c33b07d3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
83a5656fd386d4d90e2a572a887be344

SHA1
739c9962d8d9ef470c2a9d3704f49cf04dfca8b7

SHA256
54acdfefc100517766469ed12d71d8ddc45e5f0a577e9f501a9e8610865b8a73

SHA512
611361e0e4dfc83b34fcb80fd319252de16324dc8e1df715d8cfb27e35d1efb77fb33c3b216dfd82b05df017d3b6f44763e36dd440df61a021b1e2718ac01309

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
610f5a6b7fe6c4a5e1678e9e5cc28b12

SHA1
7fefe97d98012227062c924752f74950cccaedcb

SHA256
850fdec3d1f71d84a89be1b01b30836faaa880dc6ec94ccf8508c39d35357f3f

SHA512
25362a2f610a9b540dced604b7080f699303db6e82324ed3029cc3cde237944782e49aed768bc4c8f62f9d47d520146d48a0e0193d8a7a25cc17fd969f5bacc5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e060fd9518e0cd821a8b69c92576ea72

SHA1
922a0feeab609f0efb19fe25958250f9a9a0e54f

SHA256
f713a4cdd4036be3cec3df4da3aea7c38161bb945cb4762906839cd7a8c7b77a

SHA512
6ea0eed352d58841f80ca166ca292f9584bbf27e454dad1e2192da8afe7cd192d065f0e44c0cab4d2e9fba38e9e713f2b5d61ec14cbd88e1f90680e8eba9699e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
32b48b98f3f1a24bbdad4d716189205f

SHA1
d3d93742666ae1430ae76606944e3d82f631ef10

SHA256
23d8082b36fd925eba47221ffb1e4dd9033ed4dccdfaca96640227a1c52218f6

SHA512
1ab727d1fb9ec0a93c0179891c9af4f9095a986f140cbb626f0fbd2d58f3be08d37697b97170c958cb974cbc67b7e22a3ac34e426ad2b937c5181687a854d251

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a33d7b0e496abee8e773d539a0bf54d1

SHA1
9de8c6abde705c8849433af15b9edfb0320e10df

SHA256
2a79e2f8b09b3fb6adb3a4cd0d858f3d4c92e7d7b844cbcf22c8abc3075da02b

SHA512
6c943c5db039d7ac08fefcc1bf1188225362a8ed03e92111b22f91b45386de8e0bd1f8cf37cc40bc300be962fb62813baa67ed3e765dff7198dd19bd1fed41c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
78a1283dc7f0ece47441476d4b6815ef

SHA1
361877257620283da1bd9e3f2d01d76181d1b077

SHA256
755a7c9bf5069ce38dfff77aeda2d667f2b252a4b4282e070ea6432bb0e51699

SHA512
0d8c8c3c0c8ae82d5ede523a010d8d3c70e67234310e47129957bfbbebb00599a1e9d1fc54935646fb903b9fb6b11bee107c1427770ff02cf5d72b1bc3df28c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1cfc5c4ae5193ebd5e3bd71b5cd69bc4

SHA1
8622b001f1573a1972b14304b5eeed29d806012e

SHA256
1902292bfb2cd3cb0ce24547b216e5b372cba6897e08c65b45d2e428b6f0b87a

SHA512
3569b5460633a0a66611ce584100b3bc42d654c642ef8ee10654a66cf528b9bc8a3366ab60eecd0bede3e2ee8017962d1b206c7b3ae0aa73a508781f44873501

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d115d767bbbf87381c92b23f8eb5d91c

SHA1
bf847af1cc108ce654651c5cf39d9ded8c153434

SHA256
2fa500ece17ada9288465a5cbeb37542b226305eb9ae9a4ec33e95cbcd8b1851

SHA512
9bc633d97b4e9653e797d9d7a3917dbde997f7a9664f29686a76619fb165bda9bbdfc967cd1e9d626de3e9ed833364aa1844afdbe161c9b0b67c123d97201535

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
97f0efa2f5686c9a9591f8edc09122e2

SHA1
41e3b5f988dd5fea226dfd904fc0218397980961

SHA256
30185c376ba3c2f500c0a6e723a3b757296e8e51722d29cf97fc20cb8e2c15d3

SHA512
49e4dc542e2cef4e02ab841f3e605f2bffa9e48e265715ed75083b60498aff9142f0d0acc88853ed1b3cf636cfe2d12338d5844de1d1aa4f00d203c7c57bd5f8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1c14ff7713ee364d5b184cf955e8c3ba

SHA1
9c82a14aa897aca6b621580fb3173c340c21d0b3

SHA256
93be8092d93abb932d9763eac6937db377dbb588d9723635273844e7d7d3d92b

SHA512
0c4893fabad36366f504e788c43e11c69e2384a5b0b408188d6ae97ad647bf65f28e5c508382e9b6dd41b9e97d7ff0518877e431eadde49af0bb845ecd6ac796

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7c194addf5b5d24bf76bac34d3ce9214

SHA1
5c2862cbd44fac3bf66478d408d9be173443115b

SHA256
6e0b87c28ee8d0ed042bd23ffc5fa665beb6ccc608d2ad3d8c699c9f3e720216

SHA512
bf3eb7c8952fb4272a0acb35f2cf6517ae3d3a9734f5d83fb3c0ab45f66777b50b289b575d9b852b5db3f92a24fdf8e059431545f16298e5435ab1c5fd42b1c7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c6d47b0a912eb9936a80c8d0e04f4b89

SHA1
1dbc6a1682f21511969586b0bf2d8f4fb2657574

SHA256
1538e27510546afa498d78e6d324005123f21e415a773fbb6d78d88c7cc2856d

SHA512
a15f58ee7dd246e6f2727ded7ec23daf853dcd4aaffcddd22fca360e5434dff1f88e64d28c531cb4f93d1a5e7f974dd63446338d63315eed5e69a36b69d18cac

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6030935c5efec19779f136f76d14c12e

SHA1
4ed53b59b05759b34e7837b53eff57c0261ae40f

SHA256
5a9026c8b6809a3d36b85a50b5fdd6facd2fcfe4dc5f9969df36956beda9bf81

SHA512
bc3e1e3dcf66fca62f74a2b4a3153b00e402901e749367636ed35f0e1739f9686bd5b1d039dba32a7303158cb17e4c05a6d2e5648b1d8b797975f88a6af21cb3

Download Submit
C:\odt\office2016setup.exe

Filesize
4.7MB

MD5
bdb6cbc4d9c8f6ae54d06122a5d11a00

SHA1
d14e39933ce13927b770cc6ce932685048525684

SHA256
386ea54ce3062344f4e58cdb5193664bb79cc815a1747b1a9dd254f7a514a5e1

SHA512
fb6a9a69f97bd593da3fabe4d1cf3efbf3138c8d2bad22384bfcd6c501eab905b29662fbc9232cf581d9c142a302fa5b260bd05eb8b23169ec894b99a9b737bc

Download Submit
memory/764-170-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/764-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/764-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1044-622-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1044-401-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1296-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1296-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1328-336-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1448-262-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1448-136-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1448-139-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1448-138-0x00000000076C0000-0x000000000775C000-memory.dmp

Filesize
624KB

Download
memory/1448-133-0x0000000000750000-0x00000000008CE000-memory.dmp

Filesize
1.5MB

Download
memory/1448-134-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/1448-580-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1448-137-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1448-135-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1676-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1676-529-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1676-198-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1676-191-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1680-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1852-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1852-428-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1852-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1852-164-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2020-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2032-606-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2032-318-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2396-397-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2800-218-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2800-224-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2800-227-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2800-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2876-197-0x0000000000590000-0x00000000005F6000-memory.dmp

Filesize
408KB

Download
memory/2876-203-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2984-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3020-766-0x000001C9C8CA0000-0x000001C9C8CA1000-memory.dmp

Filesize
4KB

Download
memory/3020-725-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-761-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-762-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-763-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-764-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-765-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-669-0x000001C9C8CC0000-0x000001C9C8CD0000-memory.dmp

Filesize
64KB

Download
memory/3020-767-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-768-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-769-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-770-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-668-0x000001C9C8CA0000-0x000001C9C8CA1000-memory.dmp

Filesize
4KB

Download
memory/3020-667-0x000001C9C8C90000-0x000001C9C8CA0000-memory.dmp

Filesize
64KB

Download
memory/3020-686-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-688-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-687-0x000001C9CA070000-0x000001C9CA08A000-memory.dmp

Filesize
104KB

Download
memory/3020-705-0x000001C9CA440000-0x000001C9CA450000-memory.dmp

Filesize
64KB

Download
memory/3020-724-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3020-726-0x000001C9CA720000-0x000001C9CA730000-memory.dmp

Filesize
64KB

Download
memory/3160-187-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/3160-181-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/3160-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-199-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/3820-591-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3820-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4236-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4236-232-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4236-556-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4316-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-316-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4512-607-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4512-339-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4644-610-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4644-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4856-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4856-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4960-425-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4960-157-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4960-149-0x0000000002F20000-0x0000000002F86000-memory.dmp

Filesize
408KB

Download
memory/4960-144-0x0000000002F20000-0x0000000002F86000-memory.dmp

Filesize
408KB

Download
memory/4960-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4960-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5024-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5024-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5024-557-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5024-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download