blustealer | 2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchaseorder3500354689.exe
Size

1.4MB
MD5

54449cb838ba6a7de0d11f73de31c1af
SHA1

4fa134aaab1517fc86d77de166e8cb5dc65943df
SHA256

2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
SHA512

d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
SSDEEP

24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4492	alg.exe
2628	DiagnosticsHub.StandardCollector.Service.exe
1672	fxssvc.exe
2528	elevation_service.exe
2692	elevation_service.exe
2664	maintenanceservice.exe
1912	msdtc.exe
4608	OSE.EXE
4860	PerceptionSimulationService.exe
3796	perfhost.exe
3788	locator.exe
4232	SensorDataService.exe
3056	snmptrap.exe
4456	spectrum.exe
60	ssh-agent.exe
3704	TieringEngineService.exe
2088	AgentService.exe
2568	vds.exe
3216	vssvc.exe
4592	wbengine.exe
4548	WmiApSrv.exe
4208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77edd4f3ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchaseorder3500354689.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 2904	4484	Purchaseorder3500354689.exe	85
PID 2904 set thread context of 3684	2904	Purchaseorder3500354689.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchaseorder3500354689.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchaseorder3500354689.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Purchaseorder3500354689.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchaseorder3500354689.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efa51a484b84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093dcdd4b4b84d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000771ee44c4b84d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dede2484b84d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc2fa484b84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002925de484b84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093c67e484b84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aa7a1494b84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5542b484b84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe
2904	Purchaseorder3500354689.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2904	Purchaseorder3500354689.exe
Token: SeAuditPrivilege	1672	fxssvc.exe
Token: SeRestorePrivilege	3704	TieringEngineService.exe
Token: SeManageVolumePrivilege	3704	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2088	AgentService.exe
Token: SeBackupPrivilege	3216	vssvc.exe
Token: SeRestorePrivilege	3216	vssvc.exe
Token: SeAuditPrivilege	3216	vssvc.exe
Token: SeBackupPrivilege	4592	wbengine.exe
Token: SeRestorePrivilege	4592	wbengine.exe
Token: SeSecurityPrivilege	4592	wbengine.exe
Token: 33	4208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeDebugPrivilege	2904	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	2904	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	2904	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	2904	Purchaseorder3500354689.exe
Token: SeDebugPrivilege	2904	Purchaseorder3500354689.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2904	Purchaseorder3500354689.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 4484 wrote to memory of 2904	4484	Purchaseorder3500354689.exe	85
PID 2904 wrote to memory of 3684	2904	Purchaseorder3500354689.exe	91
PID 2904 wrote to memory of 3684	2904	Purchaseorder3500354689.exe	91
PID 2904 wrote to memory of 3684	2904	Purchaseorder3500354689.exe	91
PID 2904 wrote to memory of 3684	2904	Purchaseorder3500354689.exe	91
PID 2904 wrote to memory of 3684	2904	Purchaseorder3500354689.exe	91
PID 4208 wrote to memory of 3352	4208	SearchIndexer.exe	119
PID 4208 wrote to memory of 3352	4208	SearchIndexer.exe	119
PID 4208 wrote to memory of 3584	4208	SearchIndexer.exe	120
PID 4208 wrote to memory of 3584	4208	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
"C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchaseorder3500354689.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3200

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
368e8445e0e37c91012ab407a08b4665

SHA1
e261d90c1517eafbd7ab5eb86c66df237ee3cf09

SHA256
185e34cacf4a68cfa43a1ea0c9b487ee7caebb09baefa68ee251a5b140d5746f

SHA512
aae4e972dc0cba4b269bbc050075cda2f53fcd3b2ff5ed94ef2eab36e0e04c582bcd308b3a0469acb1ba16cf81d820ec43eb1d328ec14560819edbfa9bda3e33

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fbd8463205cc160722bca198d2f55c72

SHA1
acafe5502f532c24d772e5310d87407e7550bb59

SHA256
f1797c5450d9400bc823ea32d067fcb73f18f451ac765d28e1e1834766730c62

SHA512
b06b37bde4e6e7da8def96b8800a397df8961252cf11d586df4655a79f6e82633f026d7ff224076149cbd9e741967230b6931c0a338e9b8e0ea0aad9fbc6a078

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0cf1b7d68fe2fb22d7169a920ff4cb0e

SHA1
f543802673f8616728451cbf8729b5afbcd63fc5

SHA256
67d4bace53ccc1d153ee13f6433488d55dd7a3746610a1d6d143a0bddc2fa275

SHA512
4680266053105126462cd4338263de9812f94d1cfee8df82c7e1854f6235ac03789b473c477c7f38bebd3b73cbf43690b1e38c06849206668d6b49eeecf15a07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c72585ace4a5ef71d23218be6ac1954a

SHA1
a979fc035870849d8049e429b4b47dd76bae8a5d

SHA256
ceb4cd6278f38153b70744fa5a706c85982b3e89300a3fc9b32fc45304648a3c

SHA512
1a9c7047c20e43d7853d58e7f4e42ab798fcfd7b08bd3ba8bd217d773523651e795559a426475e16e1410c28ea4419d9380219e52a73772678f4a33a0c59f2fc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e6a6e77485e7d7c06e5cbd2d047fa865

SHA1
42b669c2f956767e9ef561b6199488787d741731

SHA256
1cc87d31e5d0a3397a40883653f818c62108be009a26cb09ebaa4dd55829c979

SHA512
2be09d07f0f31c88ad02db97c8aafa027ca97bb62bf3c081aadb2ceeff98c8300550030c5fe89aa4ef8cfff571a3a9c5bd2fdf3e05a615832bd50a473f9be3e1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1e6169baf16c19bea66cb74fcc74e946

SHA1
101f6be50fd316099a11a22808f9e0b9746b5c93

SHA256
eedc498630920253508e82879766dcdb13d81d22d607c440f705deafcd23029d

SHA512
29110fabeebb2913cc228b3d3b33571df19d89cca033dacb81ef8838c73b3bcd44ed8b6be1327865864dceef900571fb663c683a0312aeac2ccad51077637e00

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
bc3a108eb0a6ff16574e2791108e7d00

SHA1
bb788779f8d5c9e2a075fcc5a09ed76f89e8c129

SHA256
792ec73101d7edf63543594c7ad83fd5b1bb0e252e6177bc2f266942e1ffbd10

SHA512
4ea21f7155b8e72ae723fadacf4c3a3f970c1ee87e8a6fc30fb3d8e93319030924788f61cb6e7f6fc6e99863f03a586cc2cc409856b87696316f2a82602e07f2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8050f640679b856ef007af6fa01d3abc

SHA1
9dfd4128b4869d858a3f7d80e54d20e4b0a1d3ea

SHA256
ca396447de3f73d937f95340629b466c625e373b6e8916ba8947f3958036fdc9

SHA512
fd1114abeae485fc9ab7c8f919b0b8483a70f7ed1ee78ea8d96ca6c2d35b67e5c7bbbd4b1a324b9df5c5f21d2310006f846d48e66ec3d2b3766e99be9e3e6614

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ddba3228700bed3a6a58f7fb7ec2ef5d

SHA1
d2d62fcf9b13d664ce86b954737aec1bfd96edc2

SHA256
907a969e9fae59231c905289b94490417017dd00f1fa6c468a885c2e4b6546d6

SHA512
eab04055822e877c4c2ccc5df6918bb0078c0ed22d31c21958b832e1945023f695cce072f010b4b1159816618d0979c86db0901b55a804961c65085bcb5a5d6d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dc503f21a343ea5c5732c41d0c94737c

SHA1
64f638caff1bb4195957f3581ffe231dad2a88fb

SHA256
d2327e8b7ab0108cba5563db3765ff720f7cc37837441611ecd075d24152059c

SHA512
fbe0d2ab30d2d41eee49f3fbbf8fd19b23ee70770c315a70ccce3991f107a18e4c394181eacbe0539e631831cbbe5a9c9f86f686f513dc097b9369e23f90d6b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dc503f21a343ea5c5732c41d0c94737c

SHA1
64f638caff1bb4195957f3581ffe231dad2a88fb

SHA256
d2327e8b7ab0108cba5563db3765ff720f7cc37837441611ecd075d24152059c

SHA512
fbe0d2ab30d2d41eee49f3fbbf8fd19b23ee70770c315a70ccce3991f107a18e4c394181eacbe0539e631831cbbe5a9c9f86f686f513dc097b9369e23f90d6b8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
32db7fec77d58c47bd9f91d8c98688cc

SHA1
ffae1c36d7ed2205b21a80c5423dac5ea1482d8e

SHA256
656e4df7d8c92823480411a8f24252cda1c115045d733d68cbd02a17dcff64a2

SHA512
cc1b1ab509761b3ca9be2278e8e521bcfd7730e8fc46c8321de8a90cc72fd9e78e6f8e162fd9205a5757c46231fefeb4254677c4997f8f2730510f5c820315ef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
553433ed2789565832301cfe17165552

SHA1
1602abb28cd9252f24b2088c430747614d097824

SHA256
7b756e60dc96a3b326c8d23c7de8ceacb1cff00fbba26b4e3880d80378904ddd

SHA512
726f089ccb20c11c1d2d89b614fff820c258a966b0a615b2107a2afb1d47777c3ffa03843c193eb99a9fb659931a7637bcce89a4487c1588a9a51733e580283a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b53d3c16c13c4a664b9e15bd92a9c25a

SHA1
88f1ad0154f64eeb5d9a20d9bb0fa14bec026948

SHA256
395fb8e0ae90d39415ca2c6d52edcf2ae4fee7a43122dba86ab597828e60ca1b

SHA512
4d9add9f00c717331a5dd4a89eba9fed02817e96dec91a8e72898421f7533d1681ec53475689b01baf42a743b02f42b7354a507163430ceee681417bf99a615d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
41e73f6f43d31b4f4ec0401a74006c3f

SHA1
ddfa4b582e2f4102b8db0dd50c053f88738659ea

SHA256
aaf523303ce05b4ed66c4133e0bc288c4cbca46e5e2937f9778e2adeb039a74a

SHA512
653fd0e1bfd807595ac8b122bb6be8466a532dd9fcaa80a1facb54387a4cd5b0e74346739da0d52c68a113e1e28a9103e7c2d14a26bb6604cd7011e372d36e94

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
06123c7aefe11920e6f8d02c731ef8e6

SHA1
4ef5348489b3e439974d886cb880d5c7de97a206

SHA256
8083c0bbcf8983e727b70bbcb9fa1db01c233fd6ad7a15b4b3219739c90cb9fb

SHA512
038e4f89d831e08f1ef15c9cac9ae07cc98cdf169eb1dd177e54a300f3c96ecf6a71750801ea47bd164455cbf6a6158aeab514195479a5723f7b49a0285fd5a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ca91674ccb25a4cbbaae19c31cdc2f9b

SHA1
0b7e00cd04adefe8021cf7744c00cec5246b1301

SHA256
c23d9543c34c515e345a62af51b21fed1e5bb884f30b82f2c917fe8d804cd577

SHA512
62e0aa6e5a7d77dcb6940bd346d2ab15337acbb4e32303d6c7b74aa1827a909ce1f72c423664f515eae383895a16b80d1c4cc9151cf6a83867ad5603acbccb36

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e9b10cfdb139819c68e06de851add5ba

SHA1
926e0c330d2c60d81ccbda612aa33bda1de45ffa

SHA256
9e56286bb6274fc193a7803cc244624399e7b8427696ad82ea4014d0466f814b

SHA512
c2f90cc217151e09b0a8cba1b78280a2157a523d37801ad01d896f4d6458941a14db8611f70465276d2588b5191164f757c2f12286348ad52e7ac72763f23b93

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
00416223f3190d2386e390c4252a2635

SHA1
954122ce13790eeaf98d56dd01a04b7e64f8f334

SHA256
352f76ebc92c9f2ba84e71e9b3688ad4fcab1eaac7af4159450127104f223799

SHA512
266e4c7c4e1d9e980b980711076ef860b43af9ceacedd54870c657f9fd5275aaa6a73637565f42a0f199c4380f6dc74d1220aa85c805d9f90ab5e4641db09ccf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
19442bce721d70e46102147765727666

SHA1
9c476432a8ba68d2feec1637fae89bf3b22f308a

SHA256
c129a2c81b44b29ad1f5558fcce7bba7b872d892c4b7a27c95c2254babb0814c

SHA512
d99fba92835654d5e0aba705d123822175caa79ed562c96488296805979386e6dfb50f9561d650f280e6fbf08c4a81ea5754cda9d2ee4f8bbd9a37333932bd42

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b6b9a5d4f37ec33f490f588d7b6d4af7

SHA1
a917ac352b2b49e261a104bfd425c90fcd5e892e

SHA256
190a533d091cff83b51a3f79c5f184f4bd2d88378b819a27f7eb5664c499f8af

SHA512
483425a4fbf7ef4c0f12225cbf11c7de9d74fee2bd2eabcb29cfbd8a773fe4356e970390947224c9a59c63e06c401258c4193538a81b6a4779dd3561da87dd51

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3697d79566edff014937a226109d52d3

SHA1
ff19305aef25c089f227df5271dea694b7f3e299

SHA256
cf870aff83d837b97ab5204c66ee7a46202e6151fef1d935ffcb607bde1c1c8a

SHA512
5aad88ae42bf7c2e138d5c037ea75a4c325e43a4add66f4fe8afbe7f2e44e572b71b27b045d0ad25bb0ebb136330eebedc1f0b7c09142b06476eaeecc4e71e25

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2d01104d89474a9221931f266050b56d

SHA1
e56de0e8692f49c856308a47fae2e7cd16df7c2b

SHA256
34a36a32a54c660d83cc91cde0c66847d85de7f4a8e672567ffa1a5d56f23007

SHA512
c57c0479041f7ed8c28ec5cac79975d95f1d2011bed19556e0395ce4687d957118c92f6b2c2f8a851095807a7daad2c9688b6b93956157d320771b4c783254e1

Download Submit
memory/60-331-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/60-471-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1672-187-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1672-192-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1672-181-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1672-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1672-202-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1912-233-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1912-242-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2088-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2528-200-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2528-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2528-454-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2528-191-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2568-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2568-361-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2628-453-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2628-169-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2628-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2628-177-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2664-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2664-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2664-228-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2664-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2692-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2692-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2692-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2692-464-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2904-414-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2904-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2904-149-0x0000000003140000-0x00000000031A6000-memory.dmp

Filesize
408KB

Download
memory/2904-144-0x0000000003140000-0x00000000031A6000-memory.dmp

Filesize
408KB

Download
memory/2904-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2904-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3056-326-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3216-477-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3216-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3584-674-0x00000223F4E70000-0x00000223F4E80000-memory.dmp

Filesize
64KB

Download
memory/3584-654-0x00000223F4E60000-0x00000223F4E70000-memory.dmp

Filesize
64KB

Download
memory/3584-656-0x00000223F4E70000-0x00000223F4E71000-memory.dmp

Filesize
4KB

Download
memory/3584-655-0x00000223F4E70000-0x00000223F4E80000-memory.dmp

Filesize
64KB

Download
memory/3684-198-0x0000000000350000-0x00000000003B6000-memory.dmp

Filesize
408KB

Download
memory/3704-360-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3788-298-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3796-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3796-469-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4208-422-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4208-503-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4232-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4232-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4484-137-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/4484-135-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4484-138-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/4484-133-0x0000000000DF0000-0x0000000000F60000-memory.dmp

Filesize
1.4MB

Download
memory/4484-139-0x0000000008F30000-0x0000000008FCC000-memory.dmp

Filesize
624KB

Download
memory/4484-136-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/4484-134-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/4492-163-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/4492-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4492-157-0x00000000005A0000-0x0000000000600000-memory.dmp

Filesize
384KB

Download
memory/4548-502-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4548-419-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4592-478-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4592-386-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4608-270-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4860-274-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download