blustealer | 2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase order 3500354689.exe
Size

1.4MB
MD5

54449cb838ba6a7de0d11f73de31c1af
SHA1

4fa134aaab1517fc86d77de166e8cb5dc65943df
SHA256

2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SHA512

d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
SSDEEP

24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3648	alg.exe
3776	DiagnosticsHub.StandardCollector.Service.exe
2268	fxssvc.exe
2252	elevation_service.exe
5068	elevation_service.exe
4240	maintenanceservice.exe
1904	msdtc.exe
900	OSE.EXE
2484	PerceptionSimulationService.exe
3916	perfhost.exe
2628	locator.exe
4740	SensorDataService.exe
3256	snmptrap.exe
3548	spectrum.exe
380	ssh-agent.exe
1720	TieringEngineService.exe
960	AgentService.exe
4152	vds.exe
4700	vssvc.exe
1888	wbengine.exe
3020	WmiApSrv.exe
3308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46069f04c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase order 3500354689.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 924	3444	Purchase order 3500354689.exe	92
PID 924 set thread context of 5088	924	Purchase order 3500354689.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Purchase order 3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase order 3500354689.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase order 3500354689.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc03b93fb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050f4748bfb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e2fae8bfb83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008666608afb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2a86995fb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000964d8b8afb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006164e78bfb83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc53b58bfb83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcf4e8bfb83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3444	Purchase order 3500354689.exe
3444	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe
924	Purchase order 3500354689.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	Purchase order 3500354689.exe
Token: SeTakeOwnershipPrivilege	924	Purchase order 3500354689.exe
Token: SeAuditPrivilege	2268	fxssvc.exe
Token: SeRestorePrivilege	1720	TieringEngineService.exe
Token: SeManageVolumePrivilege	1720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	960	AgentService.exe
Token: SeBackupPrivilege	4700	vssvc.exe
Token: SeRestorePrivilege	4700	vssvc.exe
Token: SeAuditPrivilege	4700	vssvc.exe
Token: SeBackupPrivilege	1888	wbengine.exe
Token: SeRestorePrivilege	1888	wbengine.exe
Token: SeSecurityPrivilege	1888	wbengine.exe
Token: 33	3308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeDebugPrivilege	924	Purchase order 3500354689.exe
Token: SeDebugPrivilege	924	Purchase order 3500354689.exe
Token: SeDebugPrivilege	924	Purchase order 3500354689.exe
Token: SeDebugPrivilege	924	Purchase order 3500354689.exe
Token: SeDebugPrivilege	924	Purchase order 3500354689.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
924	Purchase order 3500354689.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1948	3444	Purchase order 3500354689.exe	91
PID 3444 wrote to memory of 1948	3444	Purchase order 3500354689.exe	91
PID 3444 wrote to memory of 1948	3444	Purchase order 3500354689.exe	91
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 3444 wrote to memory of 924	3444	Purchase order 3500354689.exe	92
PID 924 wrote to memory of 5088	924	Purchase order 3500354689.exe	98
PID 924 wrote to memory of 5088	924	Purchase order 3500354689.exe	98
PID 924 wrote to memory of 5088	924	Purchase order 3500354689.exe	98
PID 924 wrote to memory of 5088	924	Purchase order 3500354689.exe	98
PID 924 wrote to memory of 5088	924	Purchase order 3500354689.exe	98
PID 3308 wrote to memory of 3320	3308	SearchIndexer.exe	120
PID 3308 wrote to memory of 3320	3308	SearchIndexer.exe	120
PID 3308 wrote to memory of 804	3308	SearchIndexer.exe	121
PID 3308 wrote to memory of 804	3308	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:5088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3320
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
10f48545130f17bc5cf3ad30a8d58c78

SHA1
2ff7eb172c06b3252ac277b07fa4376a521c22ba

SHA256
add6459c490bf14559d89c03908f23ae082c2225e85eaca033d5da00c5b33398

SHA512
7e23508defb43b99b46e1b46693fd8dbafbfa44bcc4b3ce08ddf78476295ed0869b0b135e5d4d927f5a682250870881b850d9ccc6add49ff2e4d31f4034df418

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
55ae90914b07e0777c1b74543a470ac6

SHA1
630bd6b91da5fe6a057cf208f007c0f398427b24

SHA256
4800e8fa654881f86384d55b68e2a677bc927446e890944e974fa43fa70701f4

SHA512
8a168c07082ea4cf33daf28e1e98f96f35204447af892817c8b560e2f292d743ed6ff80403d77e4a057a396532db92a0adb0800e1c8f09bddcefb4f25a90d7a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0dbbffc61052c1afc00a02b0887287cb

SHA1
6b9d7bd9dae4c8ecfb0f9a01c02dafb00b094fcc

SHA256
9beab05b3eca2b2e36ec714ce63ca7ee81e6f3401513b3704e9cbf630656e83e

SHA512
64844f5c5ebed85005c085c6fac22ac6239d1c38feddbb96666df46c2b41d79b625fd610c6eda7d858ad7b1bd1157fd46f9c23a100253fcca27772ba9a5b7448

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f18cbea53770392684774e3f90bafba3

SHA1
570652e723d282cabeebf910d4f9e9849a703a26

SHA256
4795e2b32c99242ae1f81213c4751915ba9569b44d5ac309c1bb7d9875e81ec9

SHA512
5ec44da1735b5e42cfea2e88ebdf475b63faa87f81c8e5c9aa1d90fe133dc123648d2fc714889a129a769a24da7803188f5b19e75bc882f1aeb86879ee7330ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8ddf566415c55bd67c1b379aa162fded

SHA1
f486ea579ba47a956f6d6475361947261cf5bd6e

SHA256
8dde12bdb6adfd34afef0619859efe5fc1ce9a6f6d09276e3df919cf3a98d971

SHA512
4794fde5f15f005c4ad330f1a9a7329ab33eac1ea80ecb2397a827cbcb46f569b52f722dcc5575028a7c3016b018b5d5c723cb93017d4e40ed35081a2aa94797

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c69a0a27f0a61865cba5f1bd80c054ee

SHA1
f41771d70a87219150dee67b9258d16b07e4f391

SHA256
f665a4ac02fda4fb84cd8d292349beb46d05ae59e8b3736219df94b92dcd7049

SHA512
b0c3721bf27cbcf8767daecec6e613aef6c8b1c9ca5ebd39cfc54eda28e0c02eb299b2bce558813f1aa1eee5b2cf9db3ae309ba4a09f123925e24e4134f8440d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
26a06ca583cf5af27e38621fa4d850fc

SHA1
db1153e6a3d4cef87ea08bd6c8f0f6b27dfc6c68

SHA256
e59055904d74e1acec8650d02e298ef66249516011443ca72b441b99328cd675

SHA512
2085d8580803d2813195a0fb5cff287bb98db48a339f0fd6fea3c71d35be44ef9d88bcb119ac09daa32d8602b9d510a93bcc73cc98ab99a666a5e2869de73ca8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
23c96f47b6e39fc9c7d50a8a56eaa5a0

SHA1
6eb1bee344dd395e302a0ee389747c92798dfa23

SHA256
5dc7400f8ebc11a1e395a2d0d076ad6eb48a62c90979e3d0ea03308b79570562

SHA512
dacb5a5ed69db85dc78f829e4c92f0162035ab3f3cd756f098205cc299fb0b72c7b422adedeafd562a3d6dbbc9c234d1e4ac8ba3b5962be5f5ed620a11ccd911

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
249e1b6a23da55180236954e22292311

SHA1
20e40996a067fcd81127a312a8458391ccb53cff

SHA256
048396d624395a0aab866882c24b3092b3403697deb42929f3ac56dca1db103b

SHA512
e4a0e26f618067312c8ed0c0dfaacd2136e7fec33f06477ef9ee95d6594472093226717aaa390bb24ff7d692dd29cbd2d5a9dc21560c4ee16468a48c7feeb18c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cde8a1ec3438a5ff14a517a8ba0c3bec

SHA1
6922021c1bf3c278ba552bed3849cc06afe46b70

SHA256
4d3af3e4faa980ecbba96eb202a26dbcfe15681e8aed9c056424bb7bd36f0333

SHA512
f13b0801e80bb7ae294e5f30c3ad290b9256324c069686e05a6d8538c5e1200282c5d624b10a456b4f3e1f2494137080122a4ad5e3dea2dc0217f923844bc578

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cde8a1ec3438a5ff14a517a8ba0c3bec

SHA1
6922021c1bf3c278ba552bed3849cc06afe46b70

SHA256
4d3af3e4faa980ecbba96eb202a26dbcfe15681e8aed9c056424bb7bd36f0333

SHA512
f13b0801e80bb7ae294e5f30c3ad290b9256324c069686e05a6d8538c5e1200282c5d624b10a456b4f3e1f2494137080122a4ad5e3dea2dc0217f923844bc578

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
81bb80017994895dd95295beeb1c8004

SHA1
e49890c1a2adf7ab932661a94272d90ada9976ca

SHA256
afb584a7a2cbe3b1041fc856e52780611fb76f35443f95b29ae9dd5bd9544574

SHA512
2a93f0050635c59b833e48d506694a55e4fff31fab02fb61c5e532c8e5232ee6dea75ff56c5919362f91cb897e44492d0561eb5258062e858435d5486dfc9ea6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3279b9bdcff6697a5b22dee3744f187c

SHA1
336aed625279b376505ff8e29513f578789fa886

SHA256
c1d346234f94265245d8bd93e971437ba884a5e3849f269906f2e99fba46b333

SHA512
b438c8156c8ed7733358cb2dbcf466848702c8db4d834130b8b60954ac5d9166420c48192186fa5e2dcc7ba8e67cf2347251659ab9bee0d3385b47173f4545af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4e21e717c80cdcaefff22495d8867e4f

SHA1
41daf4a52f401261402bddffe797708e93b20850

SHA256
248cbf9cfd491941d315146d2873023995312ad31932de7337a3c22b03cb3e5a

SHA512
ecf74118bdefe73cfa804003cca86de81f67e93618ac450a74689f169410e99581d3888c15394fd3d11e0198cf01a64377c55e9e3c204ef63cb5d6a27156d5f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fc1c7e6848ec501c34f9cc604cdc928d

SHA1
bc5b7062f1efa525e6242ee58d71e02e45b12810

SHA256
032fd434a0a40b740e745fef7ce8f301b94955d28045090fb197eb95f8899b59

SHA512
784b5b2fefc884eeaa71ba90d0bef4a4551fb31de0583e6aa8d5f8a1cb31565b56742634e8129b31d0d1b24a86e65ea0b4274855ec64a97725eadecd9c25dffb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
fb14f64595f779dd4e4920dd02d16701

SHA1
fed2051e2ab910280695fa60693f0f55bec60f7e

SHA256
76c7674a66787efd393e13da1cea08f8fec3e0a72e6fe9db2cad800b7e82087a

SHA512
bd6c76e5df3b5e2b3e6361907c0dbc8d260f61c5a7f3c805320b75c5c88efec29155d3c1b31f3101e9063772d28c34f7973e9dbba0c70c728feba9ead991096a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
83985f361ba3c16419f27f408a63dcb0

SHA1
4340b602886a3d9f4702efe219a381f880057b18

SHA256
e3925e323f24088d3d4f702b8b2c2ab50e0a33ff2cde4f658f61d1dcff643463

SHA512
7eef055eb02a6feef21db27840057e2ee1e090d55de68b89f63daa2cb6ee5cf4d189c1fb4441240f50a2e550a77f6aebd60cd0f56028248dbed4fb4a3e2044ed

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
27c95705a32bbfbe8018fe141cbf1bb0

SHA1
6db7e32b6561b372ff3e29406b253a8b4ee931e2

SHA256
85daf1914799e9edc21874f3251652477d801a98f88291e0e3c7e0e3124b59f5

SHA512
1bf1ab7f31913f762046d74ef92b0bc30e467a968d2b23d8e936e5fd3e2f6f3a3990dc8e20f6f2d7bde14670a273a4de199580efe7b654cef34fa39acc1f9413

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1f2acdc8d72426dc45792e29d5a2d727

SHA1
ba51cc50c146cca5af28f8c6413fcb46035e672c

SHA256
695ca74b5a5784d74942dc235c0aa4a4edfdf9c2b70cb4499eb66fd06f59b96f

SHA512
5297ec871dab52084f185bd985a53ff52da348951329242009380db385c985daa3a7d737f1a34785aaee34cb6cd0c673f6eae336081b18d71a36b660d2f862cc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3b2c26d56488d7b43a295a48e731edee

SHA1
2cf2f4cc5eb213d5d7104dd5ce09716ea426957e

SHA256
944282a90d6d6e14bd02fd8337402e92ab9462f557772830d148ca54bf31d8d0

SHA512
d79cb0731385419af2a7ec73a5cc502d223352c2ae7ade177848e1df1710fb7de19f377e28ac103a23d333a7ebd17a2014596fdae64967104934c7635abf1bbb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef6c866fc94879404df21d978ef11f45

SHA1
004b4f85b0749a8e31a6a1c6c43956fe678d2d56

SHA256
eb7df0b49ea1f616799438fed2dce30b2bc33277988dad8019071181cf1b2b8b

SHA512
9a0e7f018dbf57aaa81c6a260f314a3a659cbce75a95b1a6a5c9c3673349b86c469be87b902caf03eee127e2812c1f4d6178c1487f381c25dc830c0a9611b0ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0a01747fa24abeb1d5ed6e3a788d0209

SHA1
577a5f0d1f360a791a1c59e9473551a6de85aa87

SHA256
adb4f12cffb0caacf6c626ebdfbb2820abd86861c4d667d63df72c2d07d57238

SHA512
f2358e65ea5b6cfbf0527a023156ffdad6ed67837bd75b01d9d54a776a6405484f0c5648429035dcb074bd8db89a9750668a3d8d6a6d7575197161f9e7604a50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
73362858769df8151374a0ffafb5eed1

SHA1
3a547ab2bfeddc4d8cb36c7ef538af33f6a4bf8b

SHA256
4079645b5d35bd9c6bfc2e39d89e876a3620b60233b11a47f13d34edf5b36a2e

SHA512
aaa776819ec5d6d13ad5e6d6736981ed634768137c661740d8d8c9d3b2b88792ea564c47624743d152806509a5b22f11e798cd23c2c7eb8796e718ed89bfab24

Download Submit
memory/380-336-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/804-626-0x000001FD99AF0000-0x000001FD99B00000-memory.dmp

Filesize
64KB

Download
memory/804-757-0x000001FD9B440000-0x000001FD9B44E000-memory.dmp

Filesize
56KB

Download
memory/804-654-0x000001FD99CF0000-0x000001FD99D00000-memory.dmp

Filesize
64KB

Download
memory/804-628-0x000001FD99CF0000-0x000001FD99D00000-memory.dmp

Filesize
64KB

Download
memory/804-673-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-627-0x000001FD99B00000-0x000001FD99B01000-memory.dmp

Filesize
4KB

Download
memory/804-674-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-767-0x000001FD9B450000-0x000001FD9B460000-memory.dmp

Filesize
64KB

Download
memory/804-675-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-766-0x000001FD9B450000-0x000001FD9B460000-memory.dmp

Filesize
64KB

Download
memory/804-753-0x000001FD9B440000-0x000001FD9B44E000-memory.dmp

Filesize
56KB

Download
memory/804-761-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-765-0x000001FD9B450000-0x000001FD9B460000-memory.dmp

Filesize
64KB

Download
memory/804-758-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-759-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-764-0x000001FD9B450000-0x000001FD9B460000-memory.dmp

Filesize
64KB

Download
memory/804-763-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-760-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-762-0x000001FD9B440000-0x000001FD9B450000-memory.dmp

Filesize
64KB

Download
memory/804-655-0x000001FD99CF0000-0x000001FD99D00000-memory.dmp

Filesize
64KB

Download
memory/900-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/924-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/924-149-0x0000000003050000-0x00000000030B6000-memory.dmp

Filesize
408KB

Download
memory/924-144-0x0000000003050000-0x00000000030B6000-memory.dmp

Filesize
408KB

Download
memory/924-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/924-163-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/924-383-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/960-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1720-364-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1888-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1904-235-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1904-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1904-523-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2252-198-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2252-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2252-192-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2252-407-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2268-185-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-200-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2268-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2268-188-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2268-180-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/2484-546-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2484-262-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2628-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3020-409-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3020-629-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3256-314-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3308-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3308-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3444-136-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/3444-133-0x0000000000830000-0x00000000009A0000-memory.dmp

Filesize
1.4MB

Download
memory/3444-139-0x0000000008990000-0x0000000008A2C000-memory.dmp

Filesize
624KB

Download
memory/3444-138-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3444-137-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3444-135-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3444-134-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/3548-317-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-591-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3648-384-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3648-165-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3648-156-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3648-162-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3776-183-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3776-176-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3776-170-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3916-288-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4152-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4152-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4240-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4240-231-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4240-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4240-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4240-225-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4700-387-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4700-625-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4740-313-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5068-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5068-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/5068-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5068-458-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5088-204-0x0000000000F80000-0x0000000000FE6000-memory.dmp

Filesize
408KB

Download