blustealer | e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Heur.24719.4239.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1724	alg.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4380	fxssvc.exe
4556	elevation_service.exe
4952	elevation_service.exe
3752	maintenanceservice.exe
1512	msdtc.exe
508	OSE.EXE
2352	PerceptionSimulationService.exe
2616	perfhost.exe
3048	locator.exe
1872	SensorDataService.exe
1160	snmptrap.exe
464	spectrum.exe
404	ssh-agent.exe
4672	TieringEngineService.exe
1856	AgentService.exe
4716	vds.exe
2768	vssvc.exe
3844	wbengine.exe
1444	WmiApSrv.exe
224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eae55b1fea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\locator.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\vssvc.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\dllhost.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\msiexec.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\spectrum.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\System32\msdtc.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\System32\vds.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\wbengine.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\System32\alg.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\AgentService.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	SecuriteInfo.com.Heur.24719.4239.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 3836 set thread context of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	SecuriteInfo.com.Heur.24719.4239.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	SecuriteInfo.com.Heur.24719.4239.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ebcfb95b57fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077837086b57fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009664c082b57fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaf15e8fb57fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2828	SecuriteInfo.com.Heur.24719.4239.exe
2828	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe
3836	SecuriteInfo.com.Heur.24719.4239.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeTakeOwnershipPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeAuditPrivilege	4380	fxssvc.exe
Token: SeRestorePrivilege	4672	TieringEngineService.exe
Token: SeManageVolumePrivilege	4672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1856	AgentService.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeBackupPrivilege	3844	wbengine.exe
Token: SeRestorePrivilege	3844	wbengine.exe
Token: SeSecurityPrivilege	3844	wbengine.exe
Token: 33	224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeDebugPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeDebugPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeDebugPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeDebugPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe
Token: SeDebugPrivilege	3836	SecuriteInfo.com.Heur.24719.4239.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3836	SecuriteInfo.com.Heur.24719.4239.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3940	2828	SecuriteInfo.com.Heur.24719.4239.exe	91
PID 2828 wrote to memory of 3940	2828	SecuriteInfo.com.Heur.24719.4239.exe	91
PID 2828 wrote to memory of 3940	2828	SecuriteInfo.com.Heur.24719.4239.exe	91
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 2828 wrote to memory of 3836	2828	SecuriteInfo.com.Heur.24719.4239.exe	92
PID 3836 wrote to memory of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98
PID 3836 wrote to memory of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98
PID 3836 wrote to memory of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98
PID 3836 wrote to memory of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98
PID 3836 wrote to memory of 3360	3836	SecuriteInfo.com.Heur.24719.4239.exe	98
PID 224 wrote to memory of 4204	224	SearchIndexer.exe	120
PID 224 wrote to memory of 4204	224	SearchIndexer.exe	120
PID 224 wrote to memory of 1432	224	SearchIndexer.exe	121
PID 224 wrote to memory of 1432	224	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c86fbbde9bb34e9ca2b92407795cacf4

SHA1
cc54a23ac10df7f3d12e7b0abc594c8eb3d68164

SHA256
cdb82c42c1edc71e7195c7ac3ebc288896454fcd007190a50f5e0124da3001ad

SHA512
0d49ec107e46c61d8bbfe3f4ac9dcc135ae0168af007b1682b9abd44a7927a6e937ad5838444302625817b02320f04742d475ea12e515eb8c16f43eec19dcf5a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d4e432a9b644784b3f2e28beb5e80a0a

SHA1
b40d1b57518a1b9c59881ba3a3af04690bdf7fa9

SHA256
6883de1133af92117cb097f585dd531b50d4546c84795553976bae0c23e33c92

SHA512
5fd07a1fdf9fe6ccba1ae676d6d0046a8e6d43d790142cba83baa19a0947d78f62fe698313eb0f416b03f0071d16b36a12fbf891015819b893303ac681e6f5c9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
cc1301aeb13e0af7f2b5a8b749c72eba

SHA1
6353cbed816092ff52624ae921c571d0474dd8c2

SHA256
d5b452e4150a3db4355f593b557a7c1d1063d915d3dd209398fd3b5f8524eb1b

SHA512
1e060c8e3e3e9f53dcafc68574877e4d663564f9e33f429441caf2954c1a4f4a88548bf264cef224ada2d575e2a278635c054f68529cd9be1f9936ce6e112730

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
62ecf69873affc5b22284812a65d9513

SHA1
67322d2ed5ee667602d42a8da03a85df52195585

SHA256
4c197b7e0e11b8a7564122ad230adc19ede334456f755f968acf819209ac02b5

SHA512
09b2f1821e18889cd2c3e1d6b26739f29c2bac0ff9ff4b06c94ba83ae81523dd3b3552cf8ba651e14733dc857a04d547d5be84108c4128739e9258e5106c6381

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
726a3f7cc42afb788d1b12352ee3e615

SHA1
397bc0b5cbee086025b2a924e5b6fd0fa82715b9

SHA256
3063f0a939a6a7b0c96c73d797b272f58dfe2b1d55a8b8742310ee5d039ea32a

SHA512
a675b963739b9e8c8dc09ef4a1f6c3125cb1ccecb17af1fe8f55f654c2d7268134402b223ab392d85d1f982d520df15ef11cab4c783dc8022b3a13786d8fc791

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c3b0311094e1f3baec897c50187e2d88

SHA1
3b607e45357de93926a35d64464f87d89e3c0243

SHA256
ae3146fa9ac880275d2694a0229f1613deb3c84c54304a36abb8562a5781ef8a

SHA512
33c266da6bb384a3944346fd6dcdff8ee2f07fe1c2392f6ccfcbacf03bb2f67946a35ff9f78ec1601454c9c893334f1e249c8a8edad6f3ef4e7e0e54872013df

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8b66225dc8eba81d39b8ca2aef38e476

SHA1
b352e295bdfb8442209740231d6e8557b739a6ce

SHA256
1c853052d554f0bc641c45ca4be988752fbe593f955b57cce7ed122997fbddb7

SHA512
4acfd43c7d9649c17cdfe71a8ae05e5774d4a4d63dc666766e32d8cc65bd8080d46996d684f511d3f89ffb91eee2dd59518a24e1114b0bbe5d1cf2301a7d94bb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
61a3dd50c39d8acae5a69a4f88c53f66

SHA1
a61673b429ad0d7e62a7cd2916c1a31adc2be183

SHA256
ead55c2d37ee890d9fcd56b6e2d75436168e6c0b4d0ddc2517d75721f2464998

SHA512
9d59ba74c21299a081c8142a05484c891a87bd33f96aa55cd6039391d87046ad9fcefc91969d21cf3f07d1762b8487a83c7894ebdb113fdf57034711cc082aef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
88780e869fb819dd8f9099c1d9535a49

SHA1
2f51c7acdae41bace29373840fa951cd7de2dfc2

SHA256
b209331c0e9ff010e0043a6e1a51def4b7ae3466be1be8a8174568c275ec2024

SHA512
5dc9c45727e0c1d40b80c3f25509f671fe88c86aa4d04677058e2c2706c6c3ddbe10ca0a4968fa1a4ae3b61f52be340b1946fabf0b8928dcbcbb85f5325ccae1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
56d9b600dea11997468c2c4c0b228477

SHA1
5ec37b617b7143e63f25e40054fac7af39d89503

SHA256
30466f3976edca4e90490621573d33ca5993c3b116715890881d4f7e0658fd03

SHA512
1f4270d6e4e10eb0465075d52d2876d835173091c8144c52338e338c25083685360b90fbe73ecffe1a26fe409544ca657e24777d8d81cac4c10cbd96d425ee9c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
56d9b600dea11997468c2c4c0b228477

SHA1
5ec37b617b7143e63f25e40054fac7af39d89503

SHA256
30466f3976edca4e90490621573d33ca5993c3b116715890881d4f7e0658fd03

SHA512
1f4270d6e4e10eb0465075d52d2876d835173091c8144c52338e338c25083685360b90fbe73ecffe1a26fe409544ca657e24777d8d81cac4c10cbd96d425ee9c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
86cce89dd7c5ba3c8a2645324116de89

SHA1
68841fc75765bb1cf6765d974ea498ddae51027b

SHA256
6c76bed52e90abe0b29ffe67f599da29091d5fb397de3f44931781927b492c98

SHA512
ca303daf14e1bb7c2a6bd3b877f290978a11609ff2a00085206502fdbde93a68a61d7a4313aedea472d7fd8e0e7ae3b5d3482cbf568f92646f7d8dc1274ad934

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d172a6d301f868525e07801d4cc522f4

SHA1
7aa9850ab530caedb5bd1e58f7f8c433c39e8d0e

SHA256
27704262f4ef2165b19387fc517e003654b5fd8d77d756ae8fca5a46c43c9a78

SHA512
f4f59c0f27140cee696e530dd4d36fe5579765832e225b840db5814dd1632662a6fa6759ccc679e10a0055480f09f98c2e43deafbb8ad9507c0b63900703f0bc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c8381e4438df51828e02d3a92c0aaf96

SHA1
a2dcc600fc848bf9185315e946e5cacb231133f9

SHA256
8105be7c4eda5ffc5124e79e881706a43ff29b89b01b680095c0e5126a1dfc54

SHA512
e89c3c955368cf3272a598ee207f5cd595b3e9aa899e525f728491205c5dc80999e949aed7cdec5ba6ef8fc94c7b19dbd8ad298a653d0ab53d081a29b975aaec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5f7b2a55789fd9829e6e491608fdae16

SHA1
3ce706fc5749930c41f6bf2ac7cb368ccc0ec1e3

SHA256
3e2baa415c60f343df04fcd610b7e74496d1f87bce7e1ec5cfedd0706b819626

SHA512
bdd24d803bd05f941d1c405c0bb57b775b9544aa62d1923f1131a15038ffcca1810ef2c1f0ba0d073f6bea959efefbd1334151f465631b6628221fb1a4cad22a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9d99054dc8df56cdad3f332e8a3d12e4

SHA1
a20f0529e7fb189104638b782f38a0ddb6dd15ad

SHA256
9fcb9d70dbd5d2f06d941e3c1976befbc60f65cb31539780952016932335811c

SHA512
e35255132cae4b54b69f25ef1348965a6234e9c12d0feadb9822c3795003faa08e43f3c210b03d2e893a37cad90d196bc964c7961c7f604c79f7dd5aaf866c6e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b489d855fadfd7078aa0a87331711197

SHA1
0c6c5e0644b838e53bd0c648ba26d2f5872fe572

SHA256
2dda217d21b2d8a7a794ff92a04dc0d676d610d4f2782889e4d6b9a16fae8646

SHA512
caf97c93b73c451a4b828519b9ce0b5335c8a8ed74d30d43ae3d94cf657018747dc5ec9992b8bc4defe8531720f60ae86392b15a561b11ce7ab45bbccc9ccc5e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
59cb982e56661e6ab9c7d37ab699c00e

SHA1
b552a591630f979db447e98cb8333ade7d80f0ef

SHA256
6fc43057e617e83c892ff49735ece4eb711a9fc004c4d6ec173fae683a6521eb

SHA512
1e3b76744be8b82f4f2d17676e79c09c864b4c81daefffbf36780381027bd006615b70a8bc09d2a503b49eae92a29d1de93a8b7131a89f94b8a2ba323e626349

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
0831deaa89f159568f4a9e65da1f55cb

SHA1
d18496862c695a52eec5ef6ed041b022ef823f8f

SHA256
bd44ba4903cdb855c6f682ca45021afb54d10049f39f5baf47313a95b58ffe79

SHA512
5aaa7a3193155e9c1a47ab05cb0546b038d55e5db0ae4aef23b52c948a2dc9c387a52ec93532672fa1de2eb53c6aa6f72b45ac9ee6d389c37dfb8341a9ada454

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fd2515dbbe5e7c6c503cd6842bce3124

SHA1
2aaf6a3ab90deaf15b6ed0ff1b1409ebcd2453fb

SHA256
e74794cf9e686847b983a16aff8bab6bf87ba0569e9acc6469d6d0b21cfe2acf

SHA512
76393a2b6ca64b4746a3925e59940713615ae59fc39d226eb935f7418a96e79eae0ace41db5da6dada674e876bbaf6c4fa2883c87c02b6b5a459e26a001407dc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7ef1df688da81edc7b72596a96267250

SHA1
823e48f03b82ccb13badccf3a758ec173c0c0d78

SHA256
e64cf569d76314a0e52dc1eb20b1123b7b6b738cd7764411ad58d32ff00a9577

SHA512
fb7c4743c25e996278f13e3143b701a89fc51b6e13279d8e5cdfcdffcaf7bb5c3e6c5f4fc0b58337363e90bb9a66c31088956d613051247563c9b0dbeb3fd3a4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cd6fe1126133b9427cb920d0e9b6cca1

SHA1
bf3bafa3d4e058dae8793dc242892322bbdd7c9d

SHA256
bfa19c00b6dfbff39f490009f21419acc6a4614a6650540e4b987068cdfe0c66

SHA512
2550d1d1b406024d36bcd069596fef45bcce68014a905b3a8b1c505185df01e18c8f8f6edc3353fa7976a790c79008787763fc1059ff7c3e9deffe1b34366c81

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bca3c7c1f36459c52feba9aa9ba300a4

SHA1
91f7826a071749a1ffb9c422ad0d15f31b9ff54e

SHA256
97b6b3611a62cc34386d997c7d8ef9816853687fc501321e039c6d0b832cc720

SHA512
1c5b371e1d06d4803405f20d1d7c04f1166068d2132b09f80263d633606467134381527b8629f3905e201b437dec42538c99cad41d653eae7cf3335ff23ee268

Download Submit
memory/224-500-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/224-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/404-339-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/404-484-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/464-483-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/464-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/508-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1160-331-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1432-713-0x000001DEAB4A0000-0x000001DEAB4A1000-memory.dmp

Filesize
4KB

Download
memory/1432-653-0x000001DEAB4A0000-0x000001DEAB4A1000-memory.dmp

Filesize
4KB

Download
memory/1432-625-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1432-716-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1444-493-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1444-415-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1512-302-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1512-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1512-233-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1724-164-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1724-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1724-156-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1724-244-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1856-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1872-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1872-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2352-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2616-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2768-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2768-488-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2828-135-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/2828-133-0x0000000000FF0000-0x0000000001186000-memory.dmp

Filesize
1.6MB

Download
memory/2828-139-0x0000000007DB0000-0x0000000007E4C000-memory.dmp

Filesize
624KB

Download
memory/2828-136-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

Filesize
40KB

Download
memory/2828-134-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/2828-137-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/2828-138-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/3048-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3360-204-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/3752-226-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3752-217-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3752-223-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3752-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3836-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3836-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3836-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3836-144-0x00000000030F0000-0x0000000003156000-memory.dmp

Filesize
408KB

Download
memory/3836-149-0x00000000030F0000-0x0000000003156000-memory.dmp

Filesize
408KB

Download
memory/3836-243-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3844-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4380-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4380-187-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4380-181-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4380-190-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4556-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4556-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4556-288-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4556-201-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4672-370-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4716-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4808-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4808-176-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4808-170-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4952-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4952-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4952-301-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4952-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download