blustealer | d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2023, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.5MB
MD5

a838a2013c038b3a5039cb9abb199922
SHA1

6a315d36c940cd95359cd4ef46c5688352a22a42
SHA256

d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7
SHA512

8b80c742b598d0df74e5d7b57e5ceb386d74531572a41b02614651ef9f914367e00ef23c12548f9009500af8ca9d6085406d417fc405f6ca528222a77ea83cbe
SSDEEP

24576:Bq3UElwshsKgvyH1kz7iQ2Py9so+4XfbqQtTpSrwCDCSD85vvOn2rRAJdqfcd7AH:Q3UElf6Lk1y7iSFd5BvWn2WJdyk8P

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3636	alg.exe
4616	DiagnosticsHub.StandardCollector.Service.exe
1868	fxssvc.exe
3796	elevation_service.exe
4156	elevation_service.exe
3580	maintenanceservice.exe
3328	msdtc.exe
1924	OSE.EXE
368	PerceptionSimulationService.exe
1596	perfhost.exe
3356	locator.exe
3620	SensorDataService.exe
2776	snmptrap.exe
3420	spectrum.exe
4460	ssh-agent.exe
2292	TieringEngineService.exe
3852	AgentService.exe
4800	vds.exe
4656	vssvc.exe
1176	wbengine.exe
4152	WmiApSrv.exe
3900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b22e6756c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 4320	1400	Purchase Order 202319876.exe	89
PID 4320 set thread context of 3224	4320	Purchase Order 202319876.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchase Order 202319876.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c01c2262627ed901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a53b862627ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000219f8862627ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000791c6062627ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f8f295f627ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003db99d3d627ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe
4320	Purchase Order 202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4320	Purchase Order 202319876.exe
Token: SeAuditPrivilege	1868	fxssvc.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3852	AgentService.exe
Token: SeBackupPrivilege	4656	vssvc.exe
Token: SeRestorePrivilege	4656	vssvc.exe
Token: SeAuditPrivilege	4656	vssvc.exe
Token: SeBackupPrivilege	1176	wbengine.exe
Token: SeRestorePrivilege	1176	wbengine.exe
Token: SeSecurityPrivilege	1176	wbengine.exe
Token: 33	3900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3900	SearchIndexer.exe
Token: SeDebugPrivilege	4320	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4320	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4320	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4320	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4320	Purchase Order 202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4320	Purchase Order 202319876.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 1400 wrote to memory of 4320	1400	Purchase Order 202319876.exe	89
PID 4320 wrote to memory of 3224	4320	Purchase Order 202319876.exe	116
PID 4320 wrote to memory of 3224	4320	Purchase Order 202319876.exe	116
PID 4320 wrote to memory of 3224	4320	Purchase Order 202319876.exe	116
PID 4320 wrote to memory of 3224	4320	Purchase Order 202319876.exe	116
PID 4320 wrote to memory of 3224	4320	Purchase Order 202319876.exe	116
PID 3900 wrote to memory of 5092	3900	SearchIndexer.exe	117
PID 3900 wrote to memory of 5092	3900	SearchIndexer.exe	117
PID 3900 wrote to memory of 4612	3900	SearchIndexer.exe	118
PID 3900 wrote to memory of 4612	3900	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3328

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3420

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2848

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
950ab2656ad86c1dcdd9b2d205f57894

SHA1
bd37018c8a4aac7ad594c98e0fb7b7f8205bf270

SHA256
36e9c2dfd12f222362d101e0406d7a6b44c889f236d74501d89d9cafc549008b

SHA512
f620d8ba73d0ead1634708df917dd2fe83e777cccc4179808049bba68bd551ce4322e605792098c500e23b9628bb5c7f029a8ccb600e348928bb28b18f53ce97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5e1bef17d2e9ba4f743a800dae0e4c91

SHA1
cf82e301fcb67eec74f5ae0e17fc86b04ee7000a

SHA256
e67275a79d02671f58511fe98b23493a82c9b29cb7eec4cecca0ab75e7a8f4af

SHA512
358bd2f66baff619c9d222cf87270e8525b6031c37b9f24747ef1e0af228d49c7882a9e825c521be66dbbf4a8a9fb08b118f103e1ce89f6f6f359069e0a86df6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6d4c3a6745d96b78091716e42f5035bb

SHA1
a513837e9dfda436964577289f33221c4ff6479d

SHA256
5342a19f3defa6c42153cd03b3019d08b817745f916100757ce9bb3ad6f6655b

SHA512
40f611b655fb3d21da6e9bf9302c77125527dd234098029803b6d9ddab83369e9d7e9af5ac11e3199116af008ef55d04d1628d42619d27dd8bff4e058867e7f1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8c517c510cda7725a949e481e981583d

SHA1
8e8eb45f93a99c6fc8812745da2ef1e15984b061

SHA256
ebfc3eabf9686e34de54014a4b9ba9d61fb0050bb44f498a1202d645dc8c88af

SHA512
0fc78cd39d3530d4c011e5b12217a195b39e9fc7fc8ff65811237f406580117642e0760ba64e219ef9780fcfbf9d43c59083baeac59a9abda521e40a233e45fb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b44f04be9d26a1d487c589c01fbf1c5e

SHA1
776c6ef422c3f6e7073b301f5356f3b9da8ef832

SHA256
129677e80084d2852ae32d63a68fd16d84aa43f32bb367750ac920e7c2b1efc3

SHA512
ff158a0f6b7492ccbc088c549bc8e68f4b764798c9b51c3778261ece307a3685c0fb110be40ab3a637e06ff95bf2ddc144d7cf19489fe03abf9471ad740d022b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
372d20b24e7725fee0a0d40a3194f05e

SHA1
6a202a471244a5e6a2bd807f73bbd3cc2656683f

SHA256
b3f64daa29e5a8114c20271fe1b22cdaea2e53e609150f1a01dd55a6b1f5fc70

SHA512
606378412a0c7cd671cd78a2b7312c0715cd1be12d976e25d3300bd99c8f1041dea42696fffd7bcab1a26dacd2643153ef8e037d32327b7978ce80420313de9d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1822cd425fcea66b26e89e59ebee12ce

SHA1
f5951543988b81500b9d77a0ace116870f9affc5

SHA256
1c0743e80059d48ef520fa8b92056ece2a77eacd4c73692b6a46de8ba9fbbec9

SHA512
2030542775ebf94bc844db966ffe8c4f8ba97d578775f773aa54d356435a14d16b926cbfc438e4b724c6b0f07d5f105951aca4c093a1c3c1df0022c8f346b378

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92f543d3602258af8e692c912382a2ee

SHA1
81382bfd65dab0c073dee0f14d370e9ecc994f4e

SHA256
29d55b85d7c0c4855b4bd9b17c68bdb42495344d39bcaa3f659a6d59b0a38599

SHA512
25cef15c50b661c171484a33fb3f335ad6e71285a6276cc02480f45ae9d6a120622dba2ab082a25940c67c3e3e3382880f830e1d249fbb551aa836ad75f5a8b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
024b74873f570b214e36357b1cda4239

SHA1
156d1867ab6e8b022415b2d1aa08691245d4bf08

SHA256
0ebff7b7ae5ee77413e61898647c2ffb81a054eee0404249e3dc8044cb744bcf

SHA512
7250780caf4896d1d9f231c6537701fef7b9fca048a1d9bf3ab7265be47a468b3513701e5d1371ec7706f59fecce6f82df5b41b0bdf24b5387180619095d2b25

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ed361444baaa8c170ff1db49f09e8a7a

SHA1
0d2fb87b097bef7e191b1ebed161f539b9ddc57f

SHA256
c19728a51427b511987b0e4c7cb3d91972397095c69637336e5e13a707ee24ba

SHA512
4b90e7e962ecba139edb9e86d68b3761618069d394d05dc4b0ddb7700c5469eb110d07a99edd7f1469d4dcc4654bfefee414ed9b2b01207e472add0924908990

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ed361444baaa8c170ff1db49f09e8a7a

SHA1
0d2fb87b097bef7e191b1ebed161f539b9ddc57f

SHA256
c19728a51427b511987b0e4c7cb3d91972397095c69637336e5e13a707ee24ba

SHA512
4b90e7e962ecba139edb9e86d68b3761618069d394d05dc4b0ddb7700c5469eb110d07a99edd7f1469d4dcc4654bfefee414ed9b2b01207e472add0924908990

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6b907807647fff5386a50e8a8942ec45

SHA1
6696556ea857c50d7815fa0cb029a5b509801a55

SHA256
e5acefc23ba5c372545a1ff68d8e67f2656106661142a82fd58c175d17e119d3

SHA512
2d20340ac2ea8edbd684a6eaadd249e3f38a7bff6e7c0deef9b7e778a4919693b00b48df89048130985d171e5382f3133b1c3a1dfa52303cab25e44dd850ea40

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
40dd8bd817f89c67cfac76f7fab9047c

SHA1
43e28e30a558c7ec35fea2879d63d11a64d6ca61

SHA256
45a775b4fa02aa12638eaf197695c218ea6f7b42d688b7da86b6edba1e951912

SHA512
2366186157d3246db9491d03e896a000f1ec4569be22c9c0bf5c34a8b02bb1f9f68dd1e597aad31e49df51b67e6856b5fcdb4b75dff7c61642e30d6dafd3b8f0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
337725153a032d825067cb4366c045b9

SHA1
af751e85bc0d7d69994eb480b84651fc5eaf71f9

SHA256
0ed0e40116035f61630de71fa32184c8d135649c20ca792b521e2c4341b029bf

SHA512
a7d346d31ab727973b9932c928c031e0bb05334bbb832e227aa8726a84090d162d3d2bc8be096aad8f3f187b115ea6b67f9a6106a199fc93f397918c33e0cb2f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d8b015ad6e89b4cb11c4501eb18bb783

SHA1
ed0b35c349d83719a252154683def103e88446c7

SHA256
5e365354da20eb466e491c40c0a7a89d552ff4e4a5bf990d393a9aa0026c6bf7

SHA512
ab00e34ec6e662e1cb4fe028b67e6ac9cead106feaed417a8f57d6ec306c5d17a376d51afdbcf65f0a2570a19ba14a0af94899fe1ffdbaa4da02bb43004a3365

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7288a6e447b31f141383b19bd305ee9a

SHA1
662ca63aa91656385a21ee1429e8cde4e9698c7b

SHA256
efd6b5c8de71b6b3c0f84032b66a2e1184fe6861820dda8528e3499d14712523

SHA512
da0aabf3162b13281b99e0aa24847573af1a60ae88876482ced57fae28496be61dccf28f7d4a407e1b5489a55be191b528622e4254566b36028fc5ca9c27757b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
11a665f51352853d9ed255573e4813ea

SHA1
28267d51b1553b032a22e5bab88a3eaa78bd2a62

SHA256
100e2962c870a65f351abcc8b0b39b8e6dd292c9e38bc95317f5f8e55555654c

SHA512
d23ce3ef31bc4b8501d88a324d52c55c7fde2c69df5a5b966dd3ba32db00535b1f9df15b1da58bb82aef8a484abdbc675d99c4dfa70c4c9f8636ce9e767be4e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
50c479a35ed224a575e0aaf5f60a633e

SHA1
c22f7c2b738dd2389a9e2e2be643e6363bc525d3

SHA256
fdc83f5b2e7ce294e3be9d4a1e8cdde18426d7bc8e861fe1679d17e7f19bb4a7

SHA512
e17967179535f630435dad7ea9cb02a9f5344c2a8b84df36d923a4446c2efee1a09e12ee5d5bf1627bd03cbb7ed2008af997cd1c30b112216d8ae90a3f8456e4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c4ad0691b7d078b9e3482f74c83af98a

SHA1
d123c354b87ea2814ac18340c14cdbfc50f977fd

SHA256
40e300ea7e8e79f6fb42ebd87b8ec8b15bb5ef476a905010403019f95517cdf0

SHA512
e29a7eb5bf85850595213c2ab581bafce3a84d9a193e09efc0edac55bc6351d01b1925d332b59ee7c0ff7c754db71b024f2da33e5e0d1a9874f8056a57bd4bec

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
eb58689d99d77b26cf4551cbf03046d4

SHA1
d1d738835bf70b6539b3116d0c11af7eaf5f0749

SHA256
508a1e1ea48a6f020aee31f3c177b75bf2ae9264f0b07560388fba66bec42c9b

SHA512
41e556a59b4b8a029de3dca9fa861fab398dd06d5b82a1decdeb00024296502a7b011da612572497c89b79b7cd5b5036d3ec6598f4dccd0c41fdd14519a3695a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dd81ad38e377d5934d94487bc9254feb

SHA1
01f2438d64c5cf32faa360b44ed276eca9c758bd

SHA256
9d6d125ac16dc8398cc8e444b20ac420987cf34a8761e9e5728b7de5f545e0e2

SHA512
67d358e390bb2977c37b61e5aafe25149cb808f25c10cd2d171c349d7c99561a5b0ed018bf0e5a0b3185cef9f91dfac223b470dd6325469f5f511a051248d53d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1cf56a616bb25b071f12e64c87843cf0

SHA1
8faf4bd90afb52771475de378301ceb669771b7f

SHA256
f5d8a6ba2c0b94c6db882cd456dbad8cd7634714f13459a945a611c14a6d0585

SHA512
9d7fc9cf31c086ae06ef94b4a8f218db5c2246f66c27438131c649c3aff5339b5f653725ebabb7d411fc6bd67b3a528c07234a5df299f8e56b5bb6104f02da91

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
131a1d18afda7aea585a79311e9e5a3e

SHA1
e58b60ec79aaff4ef276df4e2bbe2c9cd914672f

SHA256
ac9237b9f5e8bc03dc4d074f2cfd36ef5855ae1ecaa5ee95de2f4ed2e7fe04ee

SHA512
9ef25acb4b316c4a62ae96eb1ec7ace5dcf273cf35267fbc1d9240c8a2dff7477cbbf1f6007a67c2c56598842e346035d34f16f41f876f70b4ae368f47199045

Download Submit
memory/368-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1176-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1400-137-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1400-133-0x0000000000C50000-0x0000000000DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1400-136-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1400-135-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/1400-138-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1400-134-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/1400-139-0x0000000009CB0000-0x0000000009D4C000-memory.dmp

Filesize
624KB

Download
memory/1596-485-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1596-271-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1868-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1868-200-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/1868-181-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/1868-187-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/1868-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1924-438-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1924-246-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2292-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2292-582-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2776-312-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3224-447-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/3328-248-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3328-231-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3356-289-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3420-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3420-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3580-217-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3580-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3580-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3580-223-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3620-474-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3620-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-163-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3636-175-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3636-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3796-398-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-192-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3796-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-198-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3852-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3900-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3900-418-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4152-404-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4152-601-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4156-213-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-399-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4156-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4320-343-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4320-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4320-149-0x0000000001060000-0x00000000010C6000-memory.dmp

Filesize
408KB

Download
memory/4320-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4320-144-0x0000000001060000-0x00000000010C6000-memory.dmp

Filesize
408KB

Download
memory/4320-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4460-564-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4460-326-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4612-724-0x0000013DC2600000-0x0000013DC2631000-memory.dmp

Filesize
196KB

Download
memory/4612-677-0x0000013DC25E0000-0x0000013DC25F0000-memory.dmp

Filesize
64KB

Download
memory/4612-722-0x0000013DC2610000-0x0000013DC2620000-memory.dmp

Filesize
64KB

Download
memory/4612-680-0x0000013DC2600000-0x0000013DC260E000-memory.dmp

Filesize
56KB

Download
memory/4612-679-0x0000013DC2600000-0x0000013DC260E000-memory.dmp

Filesize
56KB

Download
memory/4612-678-0x0000013DC25F0000-0x0000013DC2600000-memory.dmp

Filesize
64KB

Download
memory/4612-792-0x0000013DC2600000-0x0000013DC260E000-memory.dmp

Filesize
56KB

Download
memory/4612-791-0x0000013DC25F0000-0x0000013DC2600000-memory.dmp

Filesize
64KB

Download
memory/4616-362-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4616-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4616-169-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4616-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4656-596-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4656-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download