blustealer | d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2023, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.5MB
MD5

a838a2013c038b3a5039cb9abb199922
SHA1

6a315d36c940cd95359cd4ef46c5688352a22a42
SHA256

d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7
SHA512

8b80c742b598d0df74e5d7b57e5ceb386d74531572a41b02614651ef9f914367e00ef23c12548f9009500af8ca9d6085406d417fc405f6ca528222a77ea83cbe
SSDEEP

24576:Bq3UElwshsKgvyH1kz7iQ2Py9so+4XfbqQtTpSrwCDCSD85vvOn2rRAJdqfcd7AH:Q3UElf6Lk1y7iSFd5BvWn2WJdyk8P

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1780	alg.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
1864	fxssvc.exe
4880	elevation_service.exe
1792	elevation_service.exe
384	maintenanceservice.exe
1316	msdtc.exe
4256	OSE.EXE
3744	PerceptionSimulationService.exe
3716	perfhost.exe
1608	locator.exe
1428	SensorDataService.exe
4068	snmptrap.exe
3732	spectrum.exe
3440	ssh-agent.exe
2208	TieringEngineService.exe
4720	AgentService.exe
2624	vds.exe
2640	vssvc.exe
2596	wbengine.exe
3168	WmiApSrv.exe
4684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2a9e9abb50d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 2068	4524	Purchase Order 202319876.exe	91
PID 2068 set thread context of 776	2068	Purchase Order 202319876.exe	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order 202319876.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aeabc53737ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aa1f452737ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d41c3454737ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005364dd54737ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a889b53737ed901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea668054737ed901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000104f2755737ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001040f252737ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3633753737ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1924954737ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe
2068	Purchase Order 202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2068	Purchase Order 202319876.exe
Token: SeAuditPrivilege	1864	fxssvc.exe
Token: SeRestorePrivilege	2208	TieringEngineService.exe
Token: SeManageVolumePrivilege	2208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4720	AgentService.exe
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe
Token: SeBackupPrivilege	2596	wbengine.exe
Token: SeRestorePrivilege	2596	wbengine.exe
Token: SeSecurityPrivilege	2596	wbengine.exe
Token: 33	4684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4684	SearchIndexer.exe
Token: SeDebugPrivilege	2068	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2068	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2068	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2068	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2068	Purchase Order 202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	Purchase Order 202319876.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 4524 wrote to memory of 2068	4524	Purchase Order 202319876.exe	91
PID 2068 wrote to memory of 776	2068	Purchase Order 202319876.exe	96
PID 2068 wrote to memory of 776	2068	Purchase Order 202319876.exe	96
PID 2068 wrote to memory of 776	2068	Purchase Order 202319876.exe	96
PID 2068 wrote to memory of 776	2068	Purchase Order 202319876.exe	96
PID 2068 wrote to memory of 776	2068	Purchase Order 202319876.exe	96
PID 4684 wrote to memory of 916	4684	SearchIndexer.exe	119
PID 4684 wrote to memory of 916	4684	SearchIndexer.exe	119
PID 4684 wrote to memory of 3056	4684	SearchIndexer.exe	120
PID 4684 wrote to memory of 3056	4684	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1792

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:916
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
63475e2c4c343838adac598b523da496

SHA1
4a6febe3be12c029397271ee92d97bb179e8e08c

SHA256
8e398856038d3c0e115ebcbc2d96f43fe3c860a4a47676e4cf1a9c96c273da4b

SHA512
eeacc938c7d09fe1f5cb963c7b255d35c79bbd1006945adca4734f4a0b855f522d743f3e45069ed162cf84a89e1c0cd4362b604cdfaa1f95bc9f2765a55ac913

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ce320e39ff1946ee4fe064f540c4e21e

SHA1
c0ef08c4a5ac3196410dd6394fe09b980bc6760c

SHA256
425aa9898f97abb414869e6cede749bc3ac6094240aacdfa6f8444c22eb9fa14

SHA512
520a78128aad68153f2eae38f53fea932e4d83bb70f0079cb783fcb1b9188c848886f19ffb5a9418ce5e88464fa64fcbd948c9b07247cec17a290a3b3e3a78d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7dfabdaf1a42dcb81fa50c4a7a5390c7

SHA1
be19bd0a0d21adb68ae8269b4374ae838c147683

SHA256
cc1b798e0467648c83a6a8107ce01185a641f75370b350ec8c39992887542e3a

SHA512
012739fca52209220cb0821775197a8cf0f5f6674334edcff1ba603f63f654e13f2367174d772cf0e49f7c3ee3458e1242b7898d57e1e5804ddf4796c6f3bb97

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0210ff1a0c951fb8efdf687859cc9bf8

SHA1
d88cfb282e690e88822f3e4f613e1e7941987542

SHA256
3a0b3919958247e6344d17d8ba12aeddbefadc7b05495c13cc93cd2e49eeb77a

SHA512
7cb8ce1f3a3622bdc075cf1874bbb9fe762c0f4636b2e2693cb65daf115ece333c2317e68d9f9215b94a9a19bfd16816c3224de6ba349563019485f284dd5b9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a3846786772d942c2c505cd021fdc2d0

SHA1
9ef5985d643a924e464ca37c0cd3e1a892e034ee

SHA256
8a814050dae085b9a16600871f613e7b54500009b14d7c3fc043f522becbe4aa

SHA512
aa13d615f6805be9847c470178e76d43af1a5a8848a1f5cd784cf319b4f44484929402a85d538d67033cbbcc4014935cfd60d80c6028caa3fb92e6068bf58574

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0249b8e09f14e6747a3d59fc84f509ba

SHA1
34f99f99670c6c9acc77cd0a7487fd7d00f91bcd

SHA256
283411020abb4556150cac50689a95d2bf9af9448da03982ece05f990e19eb99

SHA512
3711533a08145653dc01e8c415ca1f3de6a197920171685f8534b80990fcb1ce39d678ade0a487c899aea677f581872c9d5f69c9e3b03d5d1bde51973210265e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
272481df0e60e7fff30301d4d6782e30

SHA1
4b1f1949c21c4b91bdca23ea8815dd2cd6b4e831

SHA256
4004ff467aeb7ffe2f07acd1e6204e3de9fef0e1567a89e3e4d9eb9ad67bd3ed

SHA512
5f3c5246afc4c50360a823b2e423bc2d10c05df78bacd1ec7b66d94034e6a39ec67a281885398aba07bc7b466f0b72d4fcdad98703d9825113b5a0768097d243

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f51fe1f0fce2577e54912441015381b6

SHA1
018b4e2651199dcd4fb0b25cea7ae05aa90aa798

SHA256
c61cfcf3fa1ee17e59d1d29822fad6af0fd0c17e16796b0c60bca484ce6752ef

SHA512
2e0760bae47a00c8f02cc3a80269f319deb9a5a2679d461b1fd1590b8792f422c066f90d3052882bf690781356016c50cf97df346aa6f85f8d3d0114f7f95ce7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3844bb440b46872bd7544d6f558c6470

SHA1
addba996e133918b45b949d39deb0413a859c6f4

SHA256
b836de44090f3ed441128b88ae735cc5cca5c31a66b6e617930e56e026c1f25b

SHA512
6cfa4f0786d7d30497d6a61e0ca1a0ea66359f8c12dcbb617569c0d19ddea8d692498d04373d78a2a9c33eb3e94ddfb89dcc1d92f5e841c7dda33e31fee992eb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
afce59b2ac82d4ae526fc0b5867acd78

SHA1
a937eb7d948cce54990ba52ab1fdc937f18b08c6

SHA256
488111bfbb716e537d8801b428f3027c582472bb36274d07f5018cff6942f3d8

SHA512
3855f777fb8612aa536962aea7f3ec9570d42934eef69f5c954d5f100874ea934df58726ee017b6a2426d17a357f65f9c6680238ee1a63d93e4ab48c4b2c5583

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
afce59b2ac82d4ae526fc0b5867acd78

SHA1
a937eb7d948cce54990ba52ab1fdc937f18b08c6

SHA256
488111bfbb716e537d8801b428f3027c582472bb36274d07f5018cff6942f3d8

SHA512
3855f777fb8612aa536962aea7f3ec9570d42934eef69f5c954d5f100874ea934df58726ee017b6a2426d17a357f65f9c6680238ee1a63d93e4ab48c4b2c5583

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7d70086272767845dbc68e4513cc3008

SHA1
c5071445477ed5d3fc225ec7b39fc8e38ee56301

SHA256
0481aa1b592e6e42ea6e7925b3a50c6e1234de2d10227565ce8fd4e00478fe6a

SHA512
ed441939c32a661342c483c6bd75c095d8e7d8ad83aedb49efadc605d9ffcbd83af2645deb486837dd2cfb23c835b42e0fbf511d9f91ab2e97a6e84bd4715e27

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
63c05eda74bd4732a7315962abed22b2

SHA1
368fd8768afa13ab182229275eb0d4958eef2766

SHA256
0a448c29259722f734979fc2c7a44597bb9b97db414d7d1ea93e3049a01404b5

SHA512
29fed81ca8d314e4efd60f456b8017dcfd00ffbb0aa77955362651eace3e386adf00780b39e326925e64c9209666d2f020f5adaca1a4d1b49743c400ab97f2a4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cd8d06e29cc7b83dfdd1ebced99c5e17

SHA1
6ead9eb38fa6511c0af332576914665f77cf1791

SHA256
10047d4d31c6a184ff221a1b4bbe9f21dc4ba78787d0c4f68201b7d0d7c6bfd8

SHA512
62686b5f76e3976e7ff95d5d908285e64ec6af6dedaa7262c6d430117a9d0727b19ae076790556a8cbc840591639b2bfb7d71721f2541c2c2b009388ec8b00eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a8bf8323890aaa7f3ca6a8687f4f98d5

SHA1
ec9c2290e9aa201020a8a2b2ed81ad3a14fe664a

SHA256
5eb457341f12a7437beeb440cdc4845e43240db909d3b4ed0dc4bc159dcfec16

SHA512
217787ea840f4180107334d7dd6e22ce1c3e6efe6a9fc178600c6a18aba2cd1e23c02ae267f3ed42e9924d9fa69b39df27b8ee65de38ed76a8e0481e8ef1aba0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a1c886ae53071b8dfd0e91b51aca5c26

SHA1
ff3598ede83339ed528436adc5fea4e84091cd18

SHA256
6795aee00bfb900c236dd923d86e383e3cf850fdffef14efc67c760c3ccdc8ea

SHA512
1cad5c66d3c0be979eeb804ec33d7ebb96141be08479c086d09c7b3c702854aed6788a7ea3c57255c8bc63e2ff1878052a5cb6f7b855c92bd68646b2701a6215

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ddb932d7ab00638f7f2e54aedc79a0fb

SHA1
e17a637521c3dafc19d0c77d25a8e80a217995ee

SHA256
04cd8f72f0fa11e303f419e921f71465f694659d490e2dab16d5c295176c3441

SHA512
4f4f0755b16d45bd73004196201c8c6c6f9eebea3e536e5a0c8744e206b5e3da62b6aa615ef36046bf5175e76d567efd7661e02cfaf18083c25ed7b95c8aa014

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0cfef902ee8c881571c714710c73285a

SHA1
20529c429e2dfb14247ca89ac07450a53306fb3a

SHA256
6a22b8a2783e9d36a7541d69985fcbac8ee298e53ac0474fd7458ea5741dbeaa

SHA512
80aa698be558df92e0a85e2c6e56e5817330e4b6b5e8a1bde86dfa54edacbce6fa475abe3699f56975b340cc7e1bf1ac489dbbcde15cd173ab9a1900b3e4fa9d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0737dc9a8830e8d92ad7049bb43b6c13

SHA1
9af6862d2a705a12e0539fab6a48842abf24c738

SHA256
33a99b6fb68965ba05f9f19c9afa06c4850d6742ed9de58523ec98c9a1208341

SHA512
5d43cdac83e209422f29c5c22b40316440fa77cad21ba1f4187c5daba4ce5f39403ff6445ca3da1f04b45a68a25171f06a600ebff19b6c2e9e46890366950f0f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
26721b79611a7d3d8f3068547d013b11

SHA1
1e8a09ab7962b9ca4e753b3de3f7c6c0e4a9bbe6

SHA256
106823780876c1a9bba31b841df42991016712db97736528a9e0d04f73ba1bc0

SHA512
6386409c4482f775363653234a2059f47ebb60c78ccbed75ce5fbd0409388cc5d187de8c4a31af23e972238a359cd8e8342ed475e7491dde44e09db7ad182631

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4400118989fe164ad293f73c4f3a1a5e

SHA1
637af6666d666637deac0096b22507768c0d257b

SHA256
de1dd869e6249c86a14110194274795fa71af95c9eda5c0fc34ff879cfbd84e9

SHA512
9d8de2eba74c05c2a16f99161877e675b40e59ca203af5c93c08a5fc5e27d2bbbecd21352b72da99ad787910dac52536973685897f18a267ce051097e3b2b926

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
74a531fb0739a93c5d167f9f97aa2d81

SHA1
4927c6225aa07076f340fd5b63c8d384ce685b9c

SHA256
3643bea129690dd01317e6b701b51eb4790587df3f6af54a2fd0fdc701b2513f

SHA512
a03bf336ecbe977b356ed773ca861314765844383a4fa7bf9b1365dc32272f6882fa4edacae681d910ad86ace30eecaa6d1f0494ec7c3fcb0d13a63adeed7110

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a96e498e3df5005a51a2ca30ca9062cd

SHA1
b68bb6ba55985cd52357d525e357f6030c65e56f

SHA256
812462ec7dd319f0db378558141cc9d4eea0b9557995c2b174788ee6f1e5f713

SHA512
da7657724570009deb2de25f57c6e6d7b80e99b32c387ec03ea53b2e1b1b5570abc6d1a8e6752e9c63156823b586c2744907e1b580cdc95cf2650d6ace475f25

Download Submit
memory/384-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/384-226-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/384-223-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/384-217-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/776-194-0x0000000000FC0000-0x0000000001026000-memory.dmp

Filesize
408KB

Download
memory/776-202-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/1316-232-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1316-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1428-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1428-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1608-288-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1780-155-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1780-156-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1780-386-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1780-163-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1792-536-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1792-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1792-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1792-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1864-189-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1864-192-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1864-180-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1864-186-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2068-142-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2068-148-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/2068-143-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/2068-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2068-420-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2068-139-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2208-548-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2208-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2596-391-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2596-558-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2624-370-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2640-388-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3056-667-0x000001C36AE30000-0x000001C36AE31000-memory.dmp

Filesize
4KB

Download
memory/3056-720-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-671-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-768-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-767-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-766-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-669-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-765-0x000001C36AE30000-0x000001C36AE31000-memory.dmp

Filesize
4KB

Download
memory/3056-760-0x000001C36B080000-0x000001C36B090000-memory.dmp

Filesize
64KB

Download
memory/3056-721-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-670-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-762-0x000001C36B080000-0x000001C36B090000-memory.dmp

Filesize
64KB

Download
memory/3056-668-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-722-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-672-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-666-0x000001C36AE20000-0x000001C36AE30000-memory.dmp

Filesize
64KB

Download
memory/3056-723-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-761-0x000001C36B080000-0x000001C36B090000-memory.dmp

Filesize
64KB

Download
memory/3056-687-0x000001C36AE50000-0x000001C36AE60000-memory.dmp

Filesize
64KB

Download
memory/3056-724-0x000001C36AFD0000-0x000001C36AFE0000-memory.dmp

Filesize
64KB

Download
memory/3056-758-0x000001C36B080000-0x000001C36B090000-memory.dmp

Filesize
64KB

Download
memory/3056-759-0x000001C36B080000-0x000001C36B090000-memory.dmp

Filesize
64KB

Download
memory/3168-562-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3168-425-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3440-343-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3716-286-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3732-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3732-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3744-540-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3744-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4068-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4256-259-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4420-169-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4420-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4420-175-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/4524-134-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4524-133-0x00000000006D0000-0x0000000000850000-memory.dmp

Filesize
1.5MB

Download
memory/4524-135-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4524-136-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/4524-137-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4524-138-0x0000000009730000-0x00000000097CC000-memory.dmp

Filesize
624KB

Download
memory/4684-563-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4684-428-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4720-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4880-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4880-200-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4880-193-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4880-513-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download