blustealer | af2ff9bc5e9582e3301aea8cae68cb9fdea3e56b75dd57853c156c15757462d7

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Size

1.5MB
MD5

581f51fd35e943a69a4c569fa8654736
SHA1

610e7579a996ea788ccb688a9dda9d4855a40a2d
SHA256

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043
SHA512

8bb8ce0f096c5a08e2457c7039f0169ae312f850e8189e240176e7a4ccf4ba113efe9f3a19e4e282ff66b60e48b0e07127270da804e0192f5ef091f7ea9e03db
SSDEEP

24576:Xbj8B+M73OglQfGmzu7SulbydbwcLxTDkU9tMMkB5lO2dMqtX1uP:XX++tglKKPwbwcLh4otmB7ldMg1C

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4224	alg.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
4052	fxssvc.exe
1748	elevation_service.exe
848	elevation_service.exe
692	maintenanceservice.exe
4516	msdtc.exe
4360	OSE.EXE
4976	PerceptionSimulationService.exe
1172	perfhost.exe
1228	locator.exe
1340	SensorDataService.exe
3964	snmptrap.exe
4868	spectrum.exe
5104	ssh-agent.exe
3484	TieringEngineService.exe
2524	AgentService.exe
2148	vds.exe
4700	vssvc.exe
4452	wbengine.exe
2548	WmiApSrv.exe
2632	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\alg.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\locator.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\vssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\dllhost.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\spectrum.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\AgentService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\vds.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\996671d0ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\msdtc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\msiexec.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3428 set thread context of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3596 set thread context of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A100221D-7AEF-402B-B05F-21D404F0BFBF}\chrome_installer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057ebac3f927fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bdfea2f927fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036545a2e927fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b9fea42927fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007729912e927fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067ff813f927fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000077cad31927fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000858c22f927fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeTakeOwnershipPrivilege	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
Token: SeAuditPrivilege	4052	fxssvc.exe
Token: SeRestorePrivilege	3484	TieringEngineService.exe
Token: SeManageVolumePrivilege	3484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2524	AgentService.exe
Token: SeBackupPrivilege	4700	vssvc.exe
Token: SeRestorePrivilege	4700	vssvc.exe
Token: SeAuditPrivilege	4700	vssvc.exe
Token: SeBackupPrivilege	4452	wbengine.exe
Token: SeRestorePrivilege	4452	wbengine.exe
Token: SeSecurityPrivilege	4452	wbengine.exe
Token: 33	2632	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2632	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4576	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	89
PID 3428 wrote to memory of 4576	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	89
PID 3428 wrote to memory of 4576	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	89
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3428 wrote to memory of 3596	3428	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	90
PID 3596 wrote to memory of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98
PID 3596 wrote to memory of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98
PID 3596 wrote to memory of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98
PID 3596 wrote to memory of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98
PID 3596 wrote to memory of 4152	3596	18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe	98
PID 2632 wrote to memory of 2184	2632	SearchIndexer.exe	120
PID 2632 wrote to memory of 2184	2632	SearchIndexer.exe	120
PID 2632 wrote to memory of 4716	2632	SearchIndexer.exe	121
PID 2632 wrote to memory of 4716	2632	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
"C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
  "C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
  2⤵
  PID:4576
- C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe
  "C:\Users\Admin\AppData\Local\Temp\18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4152

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ea476d1fdb54f317d7fb9d68fb239bb4

SHA1
d116d8a688aa5dbb1d08265e07975070ada55fec

SHA256
76699ea2ac1073cfe691d5c6951acfa7d7018954a45699a6713a2437e94a7192

SHA512
a34cb371aeec33c34a64b7669556045c221d4bf9d2555cf0821bac13c9f2f72e9ee02470ffb0b7a03b7832f6cf1e11376ec82a0ce6e80697e014e7fa3efeb4ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
397b36fc6898de1d47010a69efd7228a

SHA1
bdfb89f5d1b980b416ad369c19073c09b9cdc9b7

SHA256
fdc8922f67b55820ada40d4264d9391e9dc23992f06960ef4fae91827fdafca7

SHA512
af332ecacac3e2ff076b56cd45341b6019d1d15b843256d882fe55cb1356fb738f9a11d7460817c0e2c8f016f016059913035992029a41219549a719311542b8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
affa61f257c04d67d8a73d8e4b08b8fd

SHA1
3f915f7ecb37243297ae1ca342e2c8aa16e079b9

SHA256
90a3fdbb1dde37ea16cc9a8bc5b1319cbfd24f8e4cc1a05e97104b3152c91206

SHA512
6e8a39b2ce13ced20291da617258a91d798df7171a8e6b32baf872b611fdd1fc2da2da0281ca621de6fae210f40bdd630329a525eaa4b44b95b1b0a627106242

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8fa9d3936ff1d7fdaf51b91c9527c6a7

SHA1
d45291d5cd1a4fb6acfeb6ffd5280779dd81f65e

SHA256
6c49044db37f94468f5a3eedb16590b132811c4e1be62af1be490832814452ad

SHA512
ee50e4f83184be10363b160c973b1c451cd810435739ed93b0524d7e8d50285af41bbb6a1c7f94bd22f9f6ee22f783136d44f3ec6527d512430c497ed5a3b3f1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5a2558940cecbacc7bcadcc3f62e07a7

SHA1
72e826f6e3e5cfdea5c9e98d47a1711bb743f427

SHA256
c0cd3023add0c6fc5b4c19e9af843849045cac9880e220dea3fc29f341b4dfec

SHA512
d56a3b1001232699363f77775fc9881a603b5c9412580a93a65649ef47c8904811b7616a8c524a2683c71b6ee3a1d76906f66b14f95a1efe229a1f2403b77107

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da81a4f73ffc829cebf489e3bd714e47

SHA1
8562a2e74fc794ff508b4f8f37483eed40241cbe

SHA256
63e52ce3e6f5164bc89f765767b906018643f8b38e4faeab834029a05c9d82c3

SHA512
ee33e9fd88a512710d0e6b4818566e36c424161450e91afe5b2abe760f5d8dcb430d1916f496d6e8c749e8087defdf5636843fc040e5c4fe4e2b6522b9b6bec5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
192cd7d4ef40a570c02340e2478547d3

SHA1
4066eaed436378401659b32fe43ba505444d3f5f

SHA256
9818a1af230392200d7e5be43e0a80fd3ff4b1e5ee1266579cf5e9e3384ab19d

SHA512
2a77ab651e8f3a8b8ac52b2779a96a86e11f4be5a47cfeeb056631ab1f378da2061047f818d65b96135557a54471df1f801433bd9deb9cbb61c79da0ea27a429

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f13de2135d16459ac7b484c9c4c0d1a

SHA1
613fc2917f677141a379f112fa14d0ed98544e1c

SHA256
a3e5d5edcf977ebc37eeb0b92f425d7dcb2aed24525830eaedf10a86ba6090b4

SHA512
5ce57a203cf87cf5c32a5052c16a2897448cb89219c02247db8ea27bb192cadb73950b9a7613c42adeb0c79b73fdfee657c8505af227dbcf353e4f24b083edfc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1965ac98af72550f3d764c8a719e2b2a

SHA1
09e430ceea4edd57d05582a45c7c2fdb2125d5bb

SHA256
347249d430855662ae750ddac46fa21ca4685b16a5ca3c2b0c814db016099561

SHA512
029e106af1626930be40b029ca69106b39935f8bf78494fd6597c489fcc10ccc3f2da7c5e31fa513ddeabf38c91b6384728d31736a217e31c75f5bd69b912994

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
22cd208d7d109950771f5a38a99f68f5

SHA1
2af4bb6291c2d1ff0a479063172263e2ba3d9a58

SHA256
b050b38dbe0560a96f9b3eb44eee2b3d58a04b2267c253bb7117fa4ff3810234

SHA512
b20d31f1fbbb95d3f41cec562f32df22f9630f6a9c9a7757e7fbda100537c02faa4d6c7e07da863ef475ca36ff077e9c15f4cf78d81ce6b523fafe5952a2a8f1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
22cd208d7d109950771f5a38a99f68f5

SHA1
2af4bb6291c2d1ff0a479063172263e2ba3d9a58

SHA256
b050b38dbe0560a96f9b3eb44eee2b3d58a04b2267c253bb7117fa4ff3810234

SHA512
b20d31f1fbbb95d3f41cec562f32df22f9630f6a9c9a7757e7fbda100537c02faa4d6c7e07da863ef475ca36ff077e9c15f4cf78d81ce6b523fafe5952a2a8f1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
331b9a7470d41b23f076d8b74362a21d

SHA1
93d45607777ec7cb44fa33c9bad42ba8950dd1e5

SHA256
570eefdcc5ff204463030ea3cbff34e5ff0671d069dc1743b59353a20f0b5f5c

SHA512
8d39bf4b3b1e06a84b8b0cc0716e2c8d1e836d6c2629c1fa94b8beff143861150aff72783e2e2a30de1016f15bd9619242b652c92377366d87e1c1254888e962

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
79b23c46e53daa89e8930ba5fab0f63a

SHA1
afdc2f7df438c47039614cbc1278c54b35d21969

SHA256
85d3507f3f24ce175ef7bf1c7335449f8067687b123a30923134dee83e3df2d5

SHA512
40a1fb54620f08bfdf1671f5e319d4cc3f83610b489346baee5da205ef456ea18910f7d727ccea3ea7d229f4f5c09df0f3e09d44c7f5d5301beea630523cd812

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8ab78eb40460cb110ac52f2dcc294e49

SHA1
71195efa813c9f19282ef4b103c27d0e22d24f1a

SHA256
451f47f764cd306858e8da33ec1435894ee783c51f5575ba1efb5d403404830d

SHA512
b2eb8b2d0647edadb3a7e470b3401ddf6847db010a5a414399d7b85b2d0aab72d0270b3a21478bac36410fc60a2586c025e5779c95ffb7ce3ab9d12272a12d88

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1b8e1c4cfa07e591db99d642c2efa7c7

SHA1
6a51d1aa18b9c8688fe60f52d878ad25f27ca1e8

SHA256
1d63bcea6f5a41b0a52084c359f32d49373328826720a87f0ea956e30595ee13

SHA512
a87c32396226caeace7bfb2197631ad81cbd4bfb0ea3e4315b9cc9c74fad3a5daba2f4ad3f5c3cf17034583aee66267b2caca7dab8af64cbb72f0b8de8a7e845

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
44c8b34f3e2205eb500166d07fa05286

SHA1
75f6caeab33a3c81666bbb5a12d15d58dfbab6b8

SHA256
3761174dd3b79d96be96dd1457b42896a3d39d2efb4510024dfe1581bd476fb7

SHA512
f1b09d32634bfce7bf145978fcaa98f39ec8979a595a0abf304cd9ff0a40f10b47213350c3b55de2ebb73b0a77fb8e130bcb6ca4622380511c6229aa7def9cb8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3824812efabdf002b30fc3ccbe0bef36

SHA1
ba1042b8537ca9c74b150f88726ea9940b713068

SHA256
a4ca705d0a3b931df732ec652a00f23f40903b34abda97dfdea5396ac2a833e0

SHA512
e6f19ee511d94adc749970195cfc1aff8081e80fe0ec1480c27ad6c05c6a71b8509f5ec2b3b800d0601ad64a2270abcbb725dcca1b560d650744dfc418de11b0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f2fa542ed566c74eb8a6e01b6706ce9f

SHA1
9c97cea55c77a681c3ab356fde33c09fada17a64

SHA256
517f93e7d0d74d445c1bf6bb85725976e6deb021da670a4a6d5dd50505f58500

SHA512
5bf193061ba65229a3e54ba1028d86614490a3cfff1707a504d7768ba03d7411c1d32a797656f56da4085dd538f0f320be305e2627d9c801d451c613673c42a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
633d796a2e5f8f612fb2a2ff1aaf857a

SHA1
2b372adfba3666502957b5e263413e653d0ac589

SHA256
8a99f7c0064426320bf39f56aac32a29fcf3ebc85218c28cb1b11969d5824eb1

SHA512
23fe11bc3e49e526c89c59c22b6bd7a78754ebbb2e376d63dcc864fdac711b1b051f3dd661ffe07ec9a9b23b7c1e728562ddee833e85e5e50f92ab41f590e62b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
43f887bf64f2fa26ec9533f4211975b0

SHA1
c5c9c7c825c79f354a8b5f9d7263753d9578a7a2

SHA256
4955e9a2f5b5257e78bc35a5ec0a422c9a8ed56449246f92c0c320bf5c12fbd6

SHA512
7d4d3759e0efe7246b8668aefbf595a4afaba683785ddb11aa62aa50f0a0a1495ed1c9edcb8161766383f01187b7986046f55a0966dabfcefb567ad73cbc5315

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
383372e5255cba6da9ea6fd3a244c479

SHA1
ec20c9f4ee3d2a6281c06f351fcb8038e3b24c55

SHA256
8735158acfdce0d1dd15960e8854cf62a86ef4c9449eecd4553be5eb8e5eb0fd

SHA512
8fa36fa5bf01ba2393a261a2e86c0d8f8354596d24507a96ee0d990bb755f6e9889ab6943aeb77f9f8352d507c09d8d748f1f29e8b5672f8f8e383f188eb5780

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6d4363ecc774cb702262015f3dc192eb

SHA1
9df3b42867d8f2d661ef8678197084da2a9915d2

SHA256
7ab30e98a62b6eee3473d8feead26bf4178c6a772985cae130b682c56d31d163

SHA512
c2569b77448997c8713e80a48e8496aa91e3cf6ee29afef8e698546e204945c2cd5b94a053ce36c031ee01aeb50e42a09e035f0e65fc7731a028991336a620ce

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ad6227fc2f3e41726682addfb8daac4b

SHA1
229a2f3a3e5aefc76baff03631cd1c064c6218f9

SHA256
9b5f33eba7e92d0faeaeebe945f82cf17f1d16030e582782b79c316d7987d617

SHA512
688df875300b7f937c77e12c84c152cd1d84e0ac3e4d3de90f41c63f6b98e28389ce2f8aa00a350eb8cb4cf8280441bfa2d73c1f4fc9ce15b24815e5674a3f7d

Download Submit
memory/692-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/692-228-0x0000000001F60000-0x0000000001FC0000-memory.dmp

Filesize
384KB

Download
memory/692-225-0x0000000001F60000-0x0000000001FC0000-memory.dmp

Filesize
384KB

Download
memory/692-219-0x0000000001F60000-0x0000000001FC0000-memory.dmp

Filesize
384KB

Download
memory/848-451-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/848-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/848-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/848-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1172-288-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1228-289-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1340-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1340-458-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1748-191-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1748-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1748-450-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1748-198-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2148-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2524-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2548-476-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2548-414-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2632-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2632-415-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-169-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2640-184-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2640-175-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3428-134-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3428-135-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/3428-136-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3428-133-0x0000000000660000-0x00000000007DE000-memory.dmp

Filesize
1.5MB

Download
memory/3428-137-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3428-138-0x0000000007240000-0x00000000072DC000-memory.dmp

Filesize
624KB

Download
memory/3484-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3596-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3596-143-0x0000000002E80000-0x0000000002EE6000-memory.dmp

Filesize
408KB

Download
memory/3596-379-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3596-149-0x0000000002E80000-0x0000000002EE6000-memory.dmp

Filesize
408KB

Download
memory/3596-139-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3596-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3964-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4052-179-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4052-187-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-186-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4052-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4052-200-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4152-214-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4152-197-0x0000000000B00000-0x0000000000B66000-memory.dmp

Filesize
408KB

Download
memory/4224-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4224-162-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4224-156-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4360-455-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4360-251-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4452-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-241-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4516-233-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4700-475-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4700-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-669-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-667-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-676-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-675-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-647-0x00000299F5050000-0x00000299F5060000-memory.dmp

Filesize
64KB

Download
memory/4716-648-0x00000299F5070000-0x00000299F5080000-memory.dmp

Filesize
64KB

Download
memory/4716-649-0x00000299F5080000-0x00000299F5090000-memory.dmp

Filesize
64KB

Download
memory/4716-674-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-668-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-673-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-670-0x00000299F5110000-0x00000299F5120000-memory.dmp

Filesize
64KB

Download
memory/4716-671-0x00000299F5070000-0x00000299F5080000-memory.dmp

Filesize
64KB

Download
memory/4716-672-0x00000299F5080000-0x00000299F5090000-memory.dmp

Filesize
64KB

Download
memory/4868-459-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4976-286-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5104-345-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download