blustealer | 421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.4MB
MD5

98ac95047944a90076ed642f2b56fc7f
SHA1

e34b95acbdbead3a7057f6e42673bed24aa573c9
SHA256

421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58
SHA512

8d415d64193df913602752c3004a7a24d7bc0ab29129eda9a1e9653e7cbfbaccb5ada7a1aa4a8b4ea81ff7fc2696fea242caf722e655b43f41cdc952738c5f74
SSDEEP

24576:N8whh2b5/1L3Y5zhzKSYIb34DSNCZlk0pRIIV6Kkcd4UiivgEvyV1jBSH:w91Lo5zgSYUI24ZlkwRI+9WUiiv7vyX0

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4360	alg.exe
1440	DiagnosticsHub.StandardCollector.Service.exe
684	fxssvc.exe
4912	elevation_service.exe
2948	elevation_service.exe
876	maintenanceservice.exe
3472	msdtc.exe
3876	OSE.EXE
2052	PerceptionSimulationService.exe
3896	perfhost.exe
2824	locator.exe
368	SensorDataService.exe
4900	snmptrap.exe
2388	spectrum.exe
808	ssh-agent.exe
3672	TieringEngineService.exe
452	AgentService.exe
4748	vds.exe
4980	vssvc.exe
4708	wbengine.exe
4640	WmiApSrv.exe
5076	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa1101632f34055d.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 4600	2040	Purchase Order.exe	89
PID 4600 set thread context of 3144	4600	Purchase Order.exe	114

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7275D8FE-3105-4FA6-AB36-BE5FAD0C0F2A}\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Purchase Order.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f5c5700f886d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000642ec9f6f786d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db9998f7f786d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f8cb2faf786d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045595a02f886d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e67256f9f786d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2040	Purchase Order.exe
2040	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe
4600	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	Purchase Order.exe
Token: SeTakeOwnershipPrivilege	4600	Purchase Order.exe
Token: SeAuditPrivilege	684	fxssvc.exe
Token: SeRestorePrivilege	3672	TieringEngineService.exe
Token: SeManageVolumePrivilege	3672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	452	AgentService.exe
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe
Token: SeBackupPrivilege	4708	wbengine.exe
Token: SeRestorePrivilege	4708	wbengine.exe
Token: SeSecurityPrivilege	4708	wbengine.exe
Token: 33	5076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeDebugPrivilege	4600	Purchase Order.exe
Token: SeDebugPrivilege	4600	Purchase Order.exe
Token: SeDebugPrivilege	4600	Purchase Order.exe
Token: SeDebugPrivilege	4600	Purchase Order.exe
Token: SeDebugPrivilege	4600	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4600	Purchase Order.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2768	2040	Purchase Order.exe	88
PID 2040 wrote to memory of 2768	2040	Purchase Order.exe	88
PID 2040 wrote to memory of 2768	2040	Purchase Order.exe	88
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 2040 wrote to memory of 4600	2040	Purchase Order.exe	89
PID 4600 wrote to memory of 3144	4600	Purchase Order.exe	114
PID 4600 wrote to memory of 3144	4600	Purchase Order.exe	114
PID 4600 wrote to memory of 3144	4600	Purchase Order.exe	114
PID 4600 wrote to memory of 3144	4600	Purchase Order.exe	114
PID 4600 wrote to memory of 3144	4600	Purchase Order.exe	114
PID 5076 wrote to memory of 4240	5076	SearchIndexer.exe	117
PID 5076 wrote to memory of 4240	5076	SearchIndexer.exe	117
PID 5076 wrote to memory of 3484	5076	SearchIndexer.exe	118
PID 5076 wrote to memory of 3484	5076	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3144

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2388

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4240
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cbf02b92ca92f44cdc58e9d934f3cd62

SHA1
ea1beea74e43048924b4df5d63b3a12e92b12123

SHA256
2fa1efb8aacfa035ebd8eb46ab3db42b6faf2a79baf68e5e6d9e5154875a26e2

SHA512
97c47064619d0bc7c383722ae57765acf478bb15b5cb04407f61168cb7d9b5b23abf1e75edc286a5741b13177d776f8009bbc4dc53dd45cf721703329370a05b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d2685edc03fe7ad6deac6c639ded813c

SHA1
3dcd4bf55f64a972584b96ab96d743a694aa2572

SHA256
1b942196f221da8e2aa5a445ae487bccfe3683df4fcfcaada7d3c1297debbbce

SHA512
b2594cd74847436be28f2ab17d9b4c94a7c0fab02931d327e8a8a9ed5b4474f4d2a01a11f9f2c3e5544ef28c409c212e214d5bc61ef211014ef1578c17ff3df2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d2685edc03fe7ad6deac6c639ded813c

SHA1
3dcd4bf55f64a972584b96ab96d743a694aa2572

SHA256
1b942196f221da8e2aa5a445ae487bccfe3683df4fcfcaada7d3c1297debbbce

SHA512
b2594cd74847436be28f2ab17d9b4c94a7c0fab02931d327e8a8a9ed5b4474f4d2a01a11f9f2c3e5544ef28c409c212e214d5bc61ef211014ef1578c17ff3df2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d6c5bdca801bd7d62b41b68ae6d105ff

SHA1
8022fe540882264cba28133844bdbfb3e342f8fb

SHA256
7e6a34cf03f28c0145424efda8ff1b6d9d5e96ae326cc14c0dadcef3668c8c8a

SHA512
a9390a7e51ee5981da975702ed700cd0be36efe1471dbb8127e61f74526a8216a682feaa1e8026d40537def6046d8a314ab4d187c9394ac2befff2bac6f584c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1e8cd3ba2cd15d7697af2e5b0e9b89df

SHA1
f9cf411625b724f7962fe918cf5381f31d2a8f89

SHA256
88f7031df0ae7ab2672bb9df99781eaa5f04628f1fcb0f582901c08921feb133

SHA512
24d0e47b47c859f3671f5670c3455045e52d352a6807aa5266ae6d85707dbb9ccd834e6ecf1d566a2ead293947d7f17c25b944c21d4a7936e1376a5e6fd14bf3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ee382dcb0bdc9332543a79f1a4a61f10

SHA1
2d235ad246bc419e647418a1b4de5bfdcbbcc0f2

SHA256
7338094bd5f72ed80a097ce28d26a8df418bd11d81bd553d04d476f6844c9651

SHA512
44b2d003f8ef1128a2191931649f58d5c5f4d6ac619dd2ecf77cd1595a58752f6220f9b631d1a8118bb179bf5202c3e43d25571afb0e7a3a6362e242d4abd4e6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8f89ab99312f72ce19dc1ea70e5a4ea8

SHA1
379dbce822eda68d9dc21f0f61e4b52a6138dedb

SHA256
a2a088ffb1966a3b4096dfac2bb122b5db50dc077426533bde11127f36041020

SHA512
c5b7efd05715e364451a51990592ad42c8dafb8d41880910fa0080879fc16b19304bee975db3ca1e65a33e1d56a294e41c4196da81d808a83e6e21c19d60265d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d250aa00c9f2974a76510babbde65cdd

SHA1
3be741cc27d1c21a25864ad2d0b57b57860850f9

SHA256
b41e7549e83aa20ce872fa6f508742a8003c6a7af025f73973ed7c373f87a891

SHA512
67909d8214c3ab6e55f7029ca2909f73a614883442e95bf032c7d4581e421142d07f544e43bf363eec0d51d92f65369cf616d82245af180562c24e8bdeeb35d9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dbded8b6b1b02eeae47e97229622d951

SHA1
52f1c0d4adc7ccbe5282fb629b2077afab11b41b

SHA256
da3f6bb18c874c631f7b76564a23fb75aeacf37b1194fdfe4ade52d83060427c

SHA512
92a7414b02cb989f2a2fdffc29d823a85fbd6309c70f9102c2f1c01dcd3990c59196386782bf1b683d73a630942d259b69211d825349c62416e9b26146b650e4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9e0b11da96448331fa2148262c11f4e7

SHA1
c163421dab29757d1472d94222d494f60e62cb1b

SHA256
f4e67a368b8f4fc26769e7e5b604d38829db0196fbc910672e8170b0ad5f82f6

SHA512
c7c02a01e8e2f8e93b02a59c07614b65ec34557d7e60f2b6e3afaab919e0ba21f4bb382b3ce1a8b8917ef588fa5328029ac0cd7d19ba65a3c69b0a0a8d66ecb0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f2415dca587b81cbeff9919be8e352bd

SHA1
1f49a7d9900da1e41389a20c8bd18420b9529991

SHA256
ff3d301c80f495e4505126c90add3295f673bd0c826e43cabe4b0404f018cc78

SHA512
649f46ef21e5f2f787b9d0c4302b4ad172051a21188daa5a9f7e759e68566ba1625e5fb7cf7f1ca5ce966f7760e38175e5033b8b7d1b18c6393c8fbe6bf2a409

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f2415dca587b81cbeff9919be8e352bd

SHA1
1f49a7d9900da1e41389a20c8bd18420b9529991

SHA256
ff3d301c80f495e4505126c90add3295f673bd0c826e43cabe4b0404f018cc78

SHA512
649f46ef21e5f2f787b9d0c4302b4ad172051a21188daa5a9f7e759e68566ba1625e5fb7cf7f1ca5ce966f7760e38175e5033b8b7d1b18c6393c8fbe6bf2a409

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3098a3ee8d343cdec1dc8e5dd27254b3

SHA1
d85031cba86e4663b4c3f55336f184c6172bbdf1

SHA256
c28b6ec65544752bbf1827c8a83b80decb48c98d3b6e37f476cbf7cc2c71a486

SHA512
80507451219d73c18340502ec940a3e9d1443c38f56174b7479a0ed9ed8cab9cf50dff6140b2ce63b84ea7919451d1affe19dca5a1554d66816da3a73766d707

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
91b89d1b8e95beb4870ad185ff000754

SHA1
9fe0e2085947990f12b4e4e39497d86b40cb0bf7

SHA256
cab800384ff336fdb19f0ed37b91202e7def4fe0fe78aabdbf7273bb48f5d083

SHA512
1a02b4ccac90d228452c42a090812bd2e4d13df5ef5e14267e90f33073c50002ccd980897010891a853641dbd76c622cf38463e30a3ec1dddee09ed530c7af33

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
08d23f6e526a5924a18ec7025d547056

SHA1
295ab1cb02cd908e511f46815e47ce04cb59765b

SHA256
fcd87a29c583f55d3dd25c9ba51ca1f29cd3ec3acfa592084a3beca146d8a494

SHA512
bf832288fafb6b48acd5ac282c2517a398ae4bd8fa341380b5870f3f707c10861505d68affae57d36cba74ec0b870faab04af614f75925cf0ecc5ea04252f40d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.6MB

MD5
a102145abab0b0cb475540d8d5b49b8a

SHA1
3139a8b34e331bbcc499bc6e0040bfc2fdbc4722

SHA256
c39e352002dcc08dffb5544b6f401507d0fcef1c36ce1afa34aa19011710eed4

SHA512
46a1fce72d04f26bf4757ede518a865e487b8325eff85de9ddcc5e4a47735ebe29a2ca6ecaebad6247d946768005434df27b0d83ec3b44a541cdaed99b0f795f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c394d2a14dbcd24fbe7a50347a938d14

SHA1
d0721639b8f2e8d968e4bb1f306fd083d6a02890

SHA256
00450d50448e986e2bd6dbf0015aa4e722831350eb7f9c31e2e8b8adb98fb5ca

SHA512
718c9ebbaa0c2f9df482b924823994aa79a6bf4d72a1645e57bde4b5df66f0bd51bb675223ea99f33d9f48c889fd7f92f4148bcf0df06a33edc96931f7f02570

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8cbae7220c3ff64e16f75811f57ea5cc

SHA1
d003c1be803ad617d90bbfcb3e56716c3a9286eb

SHA256
40cf1f6f457512894e7c62e3829ede17291d9dfb155e4835a40b62a4b9845544

SHA512
47c4b03c9e38c3a53ae69269a530d0ca20c1f659ad9dfea7908b82f814d7cadcbdc45c18f24ea0d0cb05e135241af26737e0b979cd04049bfbdd08fda78591ab

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69e6d80086b8a59e7b5a1bb3a36471b2

SHA1
6a52ac3a7aa63af58b11eff36c61dcde487c1041

SHA256
a549703d36ad1ad88887629b4b29302e937d5d564bb46a225e99864899643c40

SHA512
07574f0c2e8bc0d4aa66f4f7b1a2b63c5956de04b99d73f6e0fa7aef31a50b63093efe5fda0a8ef810088c6c7f2866dbbacad29426fb3b2a38b1024c43e6519c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b38948dce5022f8b38c088a5ce673919

SHA1
67e6ae0072a6c4ab9a0c24936a400ccd9d72062b

SHA256
1ac0e3c5d81d07dbe628275a5df739af0fcb02733dcf66447273e5c934e5c348

SHA512
abe6ff93a3aef5cf2b22840e69dfbd62e334e44b9c88e4d1a3e8cd3e1825c9cdaaf11a1e420be557e435694290275a56f7f92df6f84cee8f9f0b6a67345d59dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
72bad156a1c6457d6f91377f01643c1c

SHA1
955261d6a8d554783d7bf4a88d9204506ac2fb8d

SHA256
1841f84cc9c23bef647cc35b0cfd57e8de488fc5347c77ae90ff243635b802ec

SHA512
3fccea273ac8db0b5d85cf11e39fb68afccfe95edb665ca51bd84f214efe9a69811623ee7104b1dd3a84de040448bce850bdd8aec235251bd454cdc50a4b1891

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a5a47cfa94e0179cb881089944bc9b9b

SHA1
cabe02bf0540c94233ef16104493428a2aa147f1

SHA256
451d2da97dad7aca5ffe8a56c24c80cf4a4bbb821d7736af68cb7b1f00692137

SHA512
5c2ef4291d2133b8878ad9316f9210149291a26dd4192ec5677ab766c1de4ba991939dd6738f769b5d1720b60d16497fe3fdc704589d4b5cfb5839d3daacc1bd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6dd338c1cb337cc1d8f354b09e8317f4

SHA1
1353f3bf2d4328d740bf39714940a1b9de0295f0

SHA256
64304ee9af41aa55422f929a010bfa2f89450c65cb15442361ee84f57bfdd64e

SHA512
8335ba138b1ae07d8de826228fe3e0c29c59853ebecfd3fa6c84be797143a3bba17db3038a75d611f2c1f5fffcfb7ad80086022b621af731e1eef72f164192e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8a30b292790664ee148c829442c06194

SHA1
9fafd3c9cf74774467c1b6238f4e9135f7561ae9

SHA256
a6787aa5103606e87b5359bf01d7cbcd38256c7e299438fd22834c55a6541a1d

SHA512
406aa5a145b6bfd44c68355b5dd9243c178a2eb4bd5d025e318699f74026bcb2d7c722e8a9122d5fd23928ce9b55375176372de81ecfc297f698aba7898e16ad

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e3da8e5a3f7e6f131c9af172eb7345ce

SHA1
307c54704e2a762891f281afd98f092426d62dc3

SHA256
f26f37c64830639dde657ab81cf5aa9a64f52b661631316d731bbf4f77444e68

SHA512
8f54b97463771dea8bf5fa36b30a62c0e6c40d9f4d06f5b96291b81f346171a670409149caf83b1e6481178a943be2ade078972d1b2321cf3a05c023f7871908

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.6MB

MD5
cb4e860bc458e086535df0ce3702b8cc

SHA1
e7e3f20afcde7c26503cc99bd7d58688d0f17fa7

SHA256
8b2eb42fd055a5ce0cd954d1084b55c0d8300b6a1ab90b0190dd0f7b3ac2c318

SHA512
e971d3e017b444944b89e5e67da1ef2a1a7bc2c8fabb25308298b8efc0e96ec009d82f081a5e1f576d9e5b053f89f0b5dd7408a617c944d1e81a5ca04c91ef5b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6fb5afa63f9e677fb8eab4e0abe0dfb6

SHA1
b0ac73baacd6b42f018c151c1e03c7b8c479e061

SHA256
4ae721c5e4c7be6c59d28ac275f3f3e1c0486bfd0050c86e703458113a0b47d7

SHA512
4d24dac43a6442b2cd7d7c4a9ca8c2463182461f8e46c29c469e606e7eb23988a991f5ce12c9c4329de65e1cf761fb99cea9d673015d7bafc5a9f570c2c87153

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
95509d44285b71f94c5bc9480eb5e5bb

SHA1
a58b75f0449916398cb79c937bc5d71ad6cce726

SHA256
5b215a16e4b1dd978573b42d25dda112b7970619e169e717ef23eb2dd1e9891d

SHA512
4862b331aa9d692d9f8aab0ebac5ce99581a6000cffe4839491fd9b03f2a629d55e1b51566302ed22c22d3d34407e45dd8a5b12721eec7720db4ea6d26841a27

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
dbded8b6b1b02eeae47e97229622d951

SHA1
52f1c0d4adc7ccbe5282fb629b2077afab11b41b

SHA256
da3f6bb18c874c631f7b76564a23fb75aeacf37b1194fdfe4ade52d83060427c

SHA512
92a7414b02cb989f2a2fdffc29d823a85fbd6309c70f9102c2f1c01dcd3990c59196386782bf1b683d73a630942d259b69211d825349c62416e9b26146b650e4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
cfa1e335c706591f375243c602aa6ef7

SHA1
3198e8f59d307a146960fa50a076ae87f40fd4fd

SHA256
8b90073ca11dc09373af7d327b4ba753def57f06a23c97098b31a4f79c541512

SHA512
d8bc5d0255a830cbbeefe6500e7f5725935789ac99bfabde8bcd6b845cece8afed56ce1f428438c5561bfb11c69aa9afb07256cd3c1a4e968d90cb6dffc35aba

Download Submit
memory/368-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/368-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/452-357-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/684-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/684-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/684-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/684-200-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/684-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/808-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/876-217-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/876-223-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/876-226-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/876-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1440-168-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1440-177-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1440-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1440-375-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2040-137-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2040-136-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/2040-138-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2040-133-0x0000000000330000-0x0000000000496000-memory.dmp

Filesize
1.4MB

Download
memory/2040-139-0x00000000082B0000-0x000000000834C000-memory.dmp

Filesize
624KB

Download
memory/2040-135-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/2040-134-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/2052-520-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2052-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2388-583-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2388-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2824-547-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2824-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2948-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2948-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2948-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2948-429-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3144-405-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/3472-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3472-231-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3472-484-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3484-655-0x0000013CB2B10000-0x0000013CB2B20000-memory.dmp

Filesize
64KB

Download
memory/3484-643-0x0000013CB2B10000-0x0000013CB2B20000-memory.dmp

Filesize
64KB

Download
memory/3484-765-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-764-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-763-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-762-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-713-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-712-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-711-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-691-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-690-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-689-0x0000013CB2F60000-0x0000013CB2F70000-memory.dmp

Filesize
64KB

Download
memory/3484-675-0x0000013CB2B30000-0x0000013CB2B4A000-memory.dmp

Filesize
104KB

Download
memory/3484-674-0x0000013CB2B30000-0x0000013CB2B4A000-memory.dmp

Filesize
104KB

Download
memory/3484-673-0x0000013CB2B30000-0x0000013CB2B4A000-memory.dmp

Filesize
104KB

Download
memory/3484-656-0x0000013CB2B20000-0x0000013CB2B30000-memory.dmp

Filesize
64KB

Download
memory/3484-654-0x0000013CB2AF0000-0x0000013CB2B00000-memory.dmp

Filesize
64KB

Download
memory/3484-644-0x0000013CB2B20000-0x0000013CB2B30000-memory.dmp

Filesize
64KB

Download
memory/3484-617-0x0000013CB2AF0000-0x0000013CB2B00000-memory.dmp

Filesize
64KB

Download
memory/3672-340-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3672-587-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3876-262-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3896-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4360-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/4360-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4360-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/4600-149-0x0000000002D30000-0x0000000002D96000-memory.dmp

Filesize
408KB

Download
memory/4600-170-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4600-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4600-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4600-144-0x0000000002D30000-0x0000000002D96000-memory.dmp

Filesize
408KB

Download
memory/4640-616-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4640-398-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4708-396-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4748-377-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4900-565-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4900-304-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4912-394-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4912-192-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4912-193-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4912-199-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4980-379-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4980-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5076-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download