blustealer | e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order FP2305006.exe
Size

1.6MB
MD5

c7c88b125e27183372fb3d59c959f637
SHA1

47da39de6edee6bbe9680d830e8f64b7f3fccf3a
SHA256

e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26
SHA512

f6beaf1a6e4d8fdde08fb44c90f93c75c6f88bf04d35a90de0711a683c4a19cc82f0e846b038af4b30f6e18d5905d6006de5e00dad5cfd629d673dd81015ed63
SSDEEP

24576:04LpeAT/4TUmBmsV7ckan9wLb+mkA2NffoYF2zEg06nLnH8b/5cN:ptADBmsmkanaLb+XJwS2zECLH8bI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4220	alg.exe
1688	DiagnosticsHub.StandardCollector.Service.exe
1588	fxssvc.exe
1412	elevation_service.exe
4800	elevation_service.exe
2200	maintenanceservice.exe
3748	msdtc.exe
4916	OSE.EXE
3632	PerceptionSimulationService.exe
1676	perfhost.exe
1912	locator.exe
5112	SensorDataService.exe
3740	snmptrap.exe
1304	spectrum.exe
668	ssh-agent.exe
944	TieringEngineService.exe
696	AgentService.exe
4300	vds.exe
3644	vssvc.exe
4364	wbengine.exe
2720	WmiApSrv.exe
4972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\82455ff02f34055d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order FP2305006.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 892	2928	Purchase Order FP2305006.exe	93
PID 892 set thread context of 4496	892	Purchase Order FP2305006.exe	100

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Purchase Order FP2305006.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order FP2305006.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5fcc9c74883d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002782b7c94883d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9e7f4c74883d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e2f7c94883d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004241decb4883d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000733541c84883d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caa475c84883d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2928	Purchase Order FP2305006.exe
2928	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe
892	Purchase Order FP2305006.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	Purchase Order FP2305006.exe
Token: SeTakeOwnershipPrivilege	892	Purchase Order FP2305006.exe
Token: SeAuditPrivilege	1588	fxssvc.exe
Token: SeRestorePrivilege	944	TieringEngineService.exe
Token: SeManageVolumePrivilege	944	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	696	AgentService.exe
Token: SeBackupPrivilege	3644	vssvc.exe
Token: SeRestorePrivilege	3644	vssvc.exe
Token: SeAuditPrivilege	3644	vssvc.exe
Token: SeBackupPrivilege	4364	wbengine.exe
Token: SeRestorePrivilege	4364	wbengine.exe
Token: SeSecurityPrivilege	4364	wbengine.exe
Token: 33	4972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeDebugPrivilege	892	Purchase Order FP2305006.exe
Token: SeDebugPrivilege	892	Purchase Order FP2305006.exe
Token: SeDebugPrivilege	892	Purchase Order FP2305006.exe
Token: SeDebugPrivilege	892	Purchase Order FP2305006.exe
Token: SeDebugPrivilege	892	Purchase Order FP2305006.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
892	Purchase Order FP2305006.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4856	2928	Purchase Order FP2305006.exe	92
PID 2928 wrote to memory of 4856	2928	Purchase Order FP2305006.exe	92
PID 2928 wrote to memory of 4856	2928	Purchase Order FP2305006.exe	92
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 2928 wrote to memory of 892	2928	Purchase Order FP2305006.exe	93
PID 892 wrote to memory of 4496	892	Purchase Order FP2305006.exe	100
PID 892 wrote to memory of 4496	892	Purchase Order FP2305006.exe	100
PID 892 wrote to memory of 4496	892	Purchase Order FP2305006.exe	100
PID 892 wrote to memory of 4496	892	Purchase Order FP2305006.exe	100
PID 892 wrote to memory of 4496	892	Purchase Order FP2305006.exe	100
PID 4972 wrote to memory of 4528	4972	SearchIndexer.exe	121
PID 4972 wrote to memory of 4528	4972	SearchIndexer.exe	121
PID 4972 wrote to memory of 4628	4972	SearchIndexer.exe	122
PID 4972 wrote to memory of 4628	4972	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe"
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order FP2305006.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1304

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5048

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4528
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
057ee5b3797b3b748cd04b650bbfbe81

SHA1
fc574d81f9e200dea1fcb7f2b413974a7c5c161f

SHA256
7ac686a0589b926924503f8b2da935013b918104503fc84cd1b4e1a7f5b0bdfc

SHA512
de879ac3d919628d350df53907c2c2010e20f1615678036f7555179903d89157d67b9fb1d160dcdd7bbe76ca1a75e0aa95ea2a920708f72a306e6f003fa75aea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e681c6c1b192fce7ba12f664a17cc8d1

SHA1
77ed1cf0fb80abd679948ff9189d5c1799af47a5

SHA256
408a99e189efeb0a02ea593247ad0e59f5b9dc656bc44047220d4aea6e696f82

SHA512
b03ffde01cb9ff906ce4d9837783d176e1d8aed43c4948452af754d40f6985f5b6769531a0bdf7bb5f8e13b1bd68e3d45842dd0943223add0603b73dce9a9b37

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f65dd136769a2b5b261e077458697621

SHA1
674da425f8f717233a58b8b726ae764a9c67f1be

SHA256
f55f7c5d94f0e17c7ee1592a3f6870d40926702e4c57d0f048fed1b753684672

SHA512
b034edd881a92fed8fc038b3c367f978bc6ed735db9a05d6c9c140a4e7134df16d845e236ca238f09d98bb595023f4b13b48ef3631efb9cf01a0f59e0f082126

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b9d52b5406968fd2c8a477918af49580

SHA1
e0a37b04d1bbd57293efd2a31d7467642ccbcbfb

SHA256
d12cd21430766fde5f256737a155fd12ae3d543302ee717e1815cee4b98b4aa8

SHA512
ad78be1803f12f996d4a591879c12bc26a8a97c42e5d4c95de352ee06393a6261d63da87f852e6401b7aa99975dff49e06aebf0c3ef91710ba9a44489ea38be0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
810d5589270ddcb7fc142243a06220c4

SHA1
7958cea625f685df9aacef8ce0460ad85083b5ca

SHA256
c6c07dfacd69705edf464ec564fd3729c4c632b42f10e2cb26078ee69d313598

SHA512
e2e18ecaea8082991386a0cee6664a7a442ee18dd922cd69c04d5be4fe3497d510a6d7f4b7e16320d2efa4e37e40a4fe65337cd22a1111828152584887f8cd9d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9900c22aa4a88918f3e9b8e5fb91ee36

SHA1
6ea0d639acd087be706eabcb543c0646d4483d3b

SHA256
ffa622972eb16aa1c02c51ac88855019fb35bff91458330340704bb5537c8df3

SHA512
130847c9fafabacec468c3291081b46038ec184d43c51ffdd87f52488629896f126309e2ed3cf11facc88c088ea6f6b02ea9a901fe2f62fe2affc4743efe03a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
342f72f22f768a9561683fc436a47050

SHA1
285cfeb273cad3977b20e2b4e4d5dee4bcb60664

SHA256
c61ad00f797b3af4fcde302625cd226e5c194a5151856bf6163e0e30105a6eff

SHA512
b4f3c1501e7c30a98be4b90a4a34f1f1baf6344f96318b38167fbbbbd92fb6696f574fea70cf14ae63b9d14b4bcf15a5fb609132bdf191d86daaac085ca5f709

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3e0c027c1c7a826815b01ac70f48947c

SHA1
aafef365777c7af60268712beeaef13985611393

SHA256
2067f2405784102c1b5ac63b648fee4e29dc35cc43a5e215af8e615f0c597cb4

SHA512
ece714aa2cfaca8d7f2cc94437732d6e81fc4c7036e975d123d9627902a434c1417fd2f86533e471113ae2add6b7bd57079309e457a6fb39ba519600b6147f79

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dc53b48989f8f77dd4d314c93ad47021

SHA1
c24ca0830df835c9f51d04c7a4e74d51f30f422f

SHA256
32e353f94bf0f533730596080c786e1a2246a6d333d6080b725436aa84adcf75

SHA512
91ea85b7cc7167192e8db1d1cced2e2bb950d5c6de251783b1aadd8f9a5edecb955464e542c74a6feca7926bc980dd55348bd0dc7b37603471d451d52d634338

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
b1aec6ab6c74ad8d6de0626f4942d6fe

SHA1
eb33003c770b63c3429fff4a658d16b4dad951e6

SHA256
a69e06ea374fe0b46bfe80ef970ee09a6e04833778f9fc6378e21da9dc36bb11

SHA512
804db9da1b89af4ae21b69c1abae96be7248d764f59a9eefdad6756f9dc88a788256b0240011acedb95794044c0b5d3fc7b730e1a936e5caf30e7b4340929dfd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
b1aec6ab6c74ad8d6de0626f4942d6fe

SHA1
eb33003c770b63c3429fff4a658d16b4dad951e6

SHA256
a69e06ea374fe0b46bfe80ef970ee09a6e04833778f9fc6378e21da9dc36bb11

SHA512
804db9da1b89af4ae21b69c1abae96be7248d764f59a9eefdad6756f9dc88a788256b0240011acedb95794044c0b5d3fc7b730e1a936e5caf30e7b4340929dfd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
84aa6ccb8409ab9e4799839fda1a3ea6

SHA1
db52b7401d704052dceb6059b453ccf5ead94aca

SHA256
31ad02191422f769e3c1683d621dc2febf25a34b52ac308f740f9912c6fd891d

SHA512
1e51fd983a3e91e93717b8086c9618e94b215873464134c3921d5905d6a6ad6be338ad195e89558552a01b63e724d37b8d60ab4cbc1cdf516ecbbfd4d423049d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1b1435fe908fe78f2ed5612e2a425e34

SHA1
908e9d18032713672d5e73ec2b0e281c6ddb5d1e

SHA256
67ad8deb5428983da719d666c36fd9d4735c232d8aab7e76c225b1e3460a2b69

SHA512
97b0133d0c4c4014bd286e828a47c7d08ec2ea3b3aaa6406a7e6a91dd4a3c030510b4de760bddc799f2fc5608ad2454d7d306b15d9b62f631f54da5e69f90ddf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c0759d9586de3a8074ebd9865367f585

SHA1
f03dbdde14bb249143e9aa7a6c971183d1569370

SHA256
5569d8772ea88006d0a6013d00eca92d708ed5eb79df236f37e1c8ac2468e73c

SHA512
84a5c9a81b212b6a84982c251201f405607bb618fcac220fa2166f1e380506be343f4bf9e5eecfdcdb42d7f8b6b2fef24e22570ba1be464649437a63910266a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d37c50bab59f72522347eefaf5c984df

SHA1
e40c9b8b4c0bc530c7ebcbddb3a27d7d2fd73598

SHA256
48a9ed43067ab5970e5943602b8df5df5033a7825357ec79b1eb673ccbd9bf7a

SHA512
8de073787392ce015c5a25916f6f1e98aa3bb9aef1f0429665b1e76c58bf725258436df7c0dedde5fc5faa15f7ac02b02f6676da31e4aacd74a91c7cd1d0aeae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
260c744b31c29a84bf63f20473257c01

SHA1
ba4035a0625470530418914e71d9ebe2eb788ab1

SHA256
1c9ec65c3cf5a8481b83c9eaa8fc7c06d16b02eef56ab71b40a23807553aa511

SHA512
a0763ae98cb896f8f3690ada616e28decabf32aa5977307ab63354f3365678a3a6f40d7ecbc2e0cbc3959530401787e2bc1ec8d6570da6795696c83672840e42

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
174fdb7ac361967627d583ee43dd16b9

SHA1
05818b61f935828bc085d7645f3564a97dc3d5b2

SHA256
7da4e6ecc5c4e87a4550df8276e7c9e8e09637efc2511aa847ae64294b366caf

SHA512
b2f83908358cf6b5e0cd1ac49818e62079be5aba52ebe2fb267d7337cf81f3d4dcc285aea97a4950d4fb1f29f114a90cbaa9066ba3be84e152dde0d19722f776

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5b4b045da09446786c7bc18edf93a671

SHA1
d96de1d30a7c5380f02900fa4b4303b14826e979

SHA256
0ca6d8c64e6f7ed21e6a4408910b4eda87fa51e30e1f59a802f598abb4da6d9d

SHA512
3fbbde0c075457ee87ad3bef9cbaff1471ebcdc09de7adb008e5b766e14d5854bc09fa6626c7940af272402b6d05d3331b9f37b2261d312654c54f2dbd91f1fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ae6d14288b4bd4383c4529ca6102e1a7

SHA1
e3d26ae6c1bace27dd8e3d164096d0d23b553ec1

SHA256
2b2602631c762dd5206e7b5000a8abf376c7bc549846ef51e63227641c4841d4

SHA512
2f7a097568f0f7797cc7150215e9e1eff82a0333ee0467b2ec59e78ff1eb3298aad1a1cf7d64015a8dea7ccb6ec8cd79bb5ec19c0e61d585d906a5a1ddf4e56b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4f7905022ea7fbe9e3253cefd0a40ab7

SHA1
ba80f77b9848cd2c9181050be557c6b8390c5e92

SHA256
e048e2de2005677ac588cf84ff01bfe7ad33ac76f6137cb7243bffeabb3bea57

SHA512
2be13c35c79dfff9264783ceec10128033e8873bcd616f989d17b1e5772d5fb527328634b3bb6b6c20abf421c73ffc9cc1761ba3294af248d77e56cb10a9de91

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
269eda28831c2b807b14c14cdc80d804

SHA1
a40bc36b74f685b74d85085457879b15ca566ea7

SHA256
2147bdb4c5f7b61d4631d2cce80a69d4ef44e32aec5ac64a5afd3a2fc76621a5

SHA512
4afd4097f233b7e492fd53a1abfec26dd86ffcc838b13b25d6481c5e1cfd59f4557c7ced68ea81908258d21b232a77aa1cfecbede4169bed687ea78716fa2cc4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
597f5b382246fba72bdf4e779920245b

SHA1
3e470d2ff1acacab3eae764163ecab60dd09c91f

SHA256
3cb285b84d7a02cf25136b78adea44a56e36aa394cb513125eb310d2e36f1ca6

SHA512
4134a08daea4192cacc72334a685cd97aa511a1959fcb850af1f5867426d193d4a37f16bddb93baeac373514fadf4973ec299655a25e05ac98f565e60c2dffd2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4c8bd815b239ad04c1c9a42067c3b29f

SHA1
29fcd19cb5efc2617610884ccb9671284bd9f51f

SHA256
328836295debe9309a4cb931c02e620cfff93233c35afd5ac7bdafb6070ec097

SHA512
9711fc6d7f9deb4519ce43341f8a552eba30b29e2bd16de3e20236c603dccad74f1327d8fd9f41daec093f73e0310edad982770d30a21724bff03c2e33400755

Download Submit
memory/668-351-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/696-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/892-309-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/892-169-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/892-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/892-149-0x0000000003220000-0x0000000003286000-memory.dmp

Filesize
408KB

Download
memory/892-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/892-144-0x0000000003220000-0x0000000003286000-memory.dmp

Filesize
408KB

Download
memory/944-353-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/944-601-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1304-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1304-602-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1412-311-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1412-199-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1412-191-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1412-198-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1588-181-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1588-201-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1588-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1588-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1588-187-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1676-278-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1688-173-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1688-310-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1688-168-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1688-177-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1912-301-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2200-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2200-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2200-217-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2200-225-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2200-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2720-410-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2720-617-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2928-138-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2928-137-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2928-133-0x0000000000300000-0x0000000000498000-memory.dmp

Filesize
1.6MB

Download
memory/2928-136-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/2928-134-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/2928-139-0x00000000077C0000-0x000000000785C000-memory.dmp

Filesize
624KB

Download
memory/2928-135-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/3632-277-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3644-406-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3740-307-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3748-233-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3748-242-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4220-156-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4220-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4220-162-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4300-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4300-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4364-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4496-211-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/4628-628-0x00000292EE700000-0x00000292EE710000-memory.dmp

Filesize
64KB

Download
memory/4628-663-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-669-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-665-0x00000292EE700000-0x00000292EE710000-memory.dmp

Filesize
64KB

Download
memory/4628-668-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-667-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-662-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-661-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4628-666-0x00000292EE720000-0x00000292EE730000-memory.dmp

Filesize
64KB

Download
memory/4800-321-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4800-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4800-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4800-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4916-276-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4972-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4972-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5112-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download