blustealer | 914ec7967105f367c2c14070b9c8b338354ecd2747f8972202714bb3668f39bc

Resubmissions

17-05-2023 01:49

230517-b8zhhacd81 10

17-05-2023 01:12

230517-bkztcsdc42 10

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Size

1.5MB
MD5

67683d83541b578498d12ddc5828260e
SHA1

679904b6c6101f399811885b42e98c4c8c564e6e
SHA256

9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680
SHA512

fb3080919598e0bedaa3b429e86f498bbbfcfb257a9c92dc9f6c197e2da9bd17328cc762bd97e7cbb770f0d6f1e8c8c05107a59f6204ce8ebc5ad4996e8e709b
SSDEEP

24576:sLOOmjfJ7uGyhgAzbOQ31ubRVTkK09CDg2bCaUwFDyfCTdNuuVIF/gwqb+:sG17uGmPOQ3oNVTkhC/bCaUwpy2wuV32

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4940	alg.exe
2172	DiagnosticsHub.StandardCollector.Service.exe
3152	fxssvc.exe
4572	elevation_service.exe
4540	elevation_service.exe
4428	maintenanceservice.exe
4240	msdtc.exe
4948	OSE.EXE
1020	PerceptionSimulationService.exe
2760	perfhost.exe
1824	locator.exe
2368	SensorDataService.exe
3944	snmptrap.exe
4712	spectrum.exe
1368	ssh-agent.exe
3932	TieringEngineService.exe
1440	AgentService.exe
3772	vds.exe
2528	vssvc.exe
4900	wbengine.exe
2200	WmiApSrv.exe
2156	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2536b3c450d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\locator.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 3688 set thread context of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db8f430a7488d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081b0e5127488d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad8cca0b7488d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000938238097488d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090a1180a7488d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f424f8087488d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d77ac127488d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeAuditPrivilege	3152	fxssvc.exe
Token: SeRestorePrivilege	3932	TieringEngineService.exe
Token: SeManageVolumePrivilege	3932	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1440	AgentService.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeBackupPrivilege	4900	wbengine.exe
Token: SeRestorePrivilege	4900	wbengine.exe
Token: SeSecurityPrivilege	4900	wbengine.exe
Token: 33	2156	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeDebugPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 1028 wrote to memory of 3688	1028	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	89
PID 3688 wrote to memory of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95
PID 3688 wrote to memory of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95
PID 3688 wrote to memory of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95
PID 3688 wrote to memory of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95
PID 3688 wrote to memory of 1464	3688	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	95
PID 2156 wrote to memory of 1992	2156	SearchIndexer.exe	117
PID 2156 wrote to memory of 1992	2156	SearchIndexer.exe	117
PID 2156 wrote to memory of 2056	2156	SearchIndexer.exe	118
PID 2156 wrote to memory of 2056	2156	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
"C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
  "C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4940

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1992
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
99c6aaccd92f10ab68ce31e3dbd71780

SHA1
91e53a726dbeed99634bfc4bcce95a436fcb27c8

SHA256
210def934c31ef7f58432407a4d993e81f89a509c6d05cdbf4a3c373bde64ac5

SHA512
64662a5ad39e11895ca25aaebf37de0ceb272d1bb3e7c79c5fb34ae18b5fa1495a8d475762d2850de89b32bd0460c13fd8b18145c7a2c338052b46c6619edabb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6b942817087c96ee6fcf76b3e935ae1d

SHA1
35d1a80bcbc2c6f9893cc4248947d7ffd4417234

SHA256
3c179efadae8bc3d3dc697850f944c076b249524a6a4b7eb0fa965259ccd405b

SHA512
ab0db147300fcce7ff119e9d5bd263c859fa02f05399e296d823f1cc12779f7b1b0ee561b76607d861d602d597d18e6c568d1a3cef20f4d91d49ee6f6e158bd0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6b942817087c96ee6fcf76b3e935ae1d

SHA1
35d1a80bcbc2c6f9893cc4248947d7ffd4417234

SHA256
3c179efadae8bc3d3dc697850f944c076b249524a6a4b7eb0fa965259ccd405b

SHA512
ab0db147300fcce7ff119e9d5bd263c859fa02f05399e296d823f1cc12779f7b1b0ee561b76607d861d602d597d18e6c568d1a3cef20f4d91d49ee6f6e158bd0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
569d15818c3ff952b0bc4ff8287c3a9c

SHA1
2b778d6a0dd4c51da75ad57fce68fe3ae7f31448

SHA256
bf7aa33eea0a95a169dd5184616dae7a00d2ffe88d1496dc621a0328b854f066

SHA512
b4ae0f5306c9363eb86348e8966ddfa60a8d47592c106d331f81417e89eb6fb51840940adb427575b330cdf75dddd0b36075828dddcfe995c77861dde6570006

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
9df7286ff900fbcf07613d95adb7c58c

SHA1
198720c2c884f103abeb805aeda4d83c259093ed

SHA256
30171f07ef522ec0741f0985d103b71fcbe672618870abcab37885a15852a257

SHA512
cd1759b8db005503bea31dbd1c5430aaff2462077052e940f28a231f5c1d02a01ace142ee8c7f423c93c5dad2cf0ccda57e3ea8ce57d71d717599404824e2381

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
2be411c0970ec3d8f594253fa128293e

SHA1
b3c224fbde5b64c984c779b86aa7e4acaf92673e

SHA256
67c66cb874350da41e021cb28be1d6066486c1e793ede4cd7c1206171c2baf88

SHA512
4894eedd133893e86eee010d98ae3f58c1573bdd1a5c7546762248bbf5212a79ccefd556a582a29c843a6cc031511587ddc044a796b7b68c4da6e44c3fc1ef3e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1316170338467dd6adcf5bfcd89d5ab4

SHA1
e43b73a58b6bc12b16abb4260ed080b34ffdcda4

SHA256
f5b848adaa78b2de91c52c23c35ed105113b1fd549ba36ff5fe9e0c40e1651ab

SHA512
09ad17adadc5d3d96fe71700fa82fd88d6e16a88fe6cdbb19f827327b3994d6bc9f58550f44c8127a37f53272c65f3adb644dc61181e67723db652091964e84f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
ab1ca0a8cf8a3c3bebeecb97cab242a7

SHA1
8bb1cc79c070539a0d64464afde8815b23c798e5

SHA256
cb77cb77d4e784ad0bd66cee6231ee5eb935d868149d130683ccdae3a2b11235

SHA512
521121416787e24843f1d402a589104313d6d9aa7e4c43f184a92cf09cc3cd229622fbc2a34f94a11be39772dc1a7d5cca22552df807caba8b357ee5308c542e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
abb8d6643caa15208854aa662954de1a

SHA1
f36c86cbd7b6e58ab338f33241744b58aa0a430f

SHA256
48e647036abb1bfb320c3a5139342eade037c2849ff9901028fe1d43eff39344

SHA512
9db086dce97d86f9bfbf0891138970f8ce5d055113c06e5e1e786936bb13748a8915f26e5a6bfef49fda1d5c23422d25f2cc6feeeeb7038c48a19d22a960c2f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
8c062376d053536f9eb42295a25fbfa1

SHA1
1c1149038f5f00274743c003f4e435a5b0ed461c

SHA256
93c83f8b1b7b5ff225718be5ca7d1d1dfb2d0b890d7991736115c6b5de7a5642

SHA512
2cdfac39c020d0e2eaf88efc61fd962cfd96c5cfcf175e4bc68b72b1b0511297d0e790e76a65f3352cf57a0784f91bc35521da50c3b13154ace18a04aa0f130d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
10.2MB

MD5
febb7c76442be7384d458f2743bafc50

SHA1
99e1bb282e320fa2cb1a863f5a4fcbdb1fb3760e

SHA256
86dfca24459cc3b07f87d8b22e2cba9d3967d8f62afa6df9a39b9f852140765d

SHA512
aa1dac44a193d9124c0545dea9369f53187a6b02eb22898ca54f12c1e4a7d6bcba77b8bf34b4f837a7b5a73dc24f5996ff75f35800dde7823b2bf3034e732208

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
049e40f2c201c793d3dfbb5c92040d5d

SHA1
bee5f333eac85a3082d706480a6f3e2603a56b71

SHA256
2c42e25457b4bcdb750ca16ed6eb3de2765d368099eb60178d823047a9cc2716

SHA512
7cbaeca4ea95ffe24318c1cd3192245b2465a8a423e7f5b21542c1735b057680f54ed65d9acc677b479ad2481ac007f48a24b38d68fa68e327669c2c5ce6b2c9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7382e04f8d64f5239a28c4dd3f363a39

SHA1
4167787b9acac39575c97b2367e0e09944c8a25e

SHA256
c1f489ef4c7f03cda5bc82677dadaf75861151bea4f3e17ac0076c6237e57b51

SHA512
02ca96a482125591736eac38ab8dcfea87c5b635f086fb3deb10ceda92b4cb755fce4f0080a7361b7ffd5d13816f61f09375b276eb867a5e7aac2439c36cc659

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0f0e374fad5df5b9d191b91ee70128f1

SHA1
62885f32c8d227ce8770c6b19439f69061bea242

SHA256
5eaa93b174ea9fdf90fe49e68bc0f6dbfff73a02bf656cd550872f580f9b811a

SHA512
82b9d59035ad24ef66ea0301f93eb0c6b9a8b8adf283579305d04bf5cdf5bebd1b7712889b6597c126380a1bb653228d4bd79a3f9eaecd8d54335a7bd9f9e5da

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5d5e46167fc3d30231a2e01c58320569

SHA1
853599cebb0f2ed7616061ba42996ceb9429a43b

SHA256
7b4a8a3850c2a17e6ba2a1ece679c0b79a53e3d85b623a4193cab3dce9e7389e

SHA512
d8b465c77679a1410cbd7a83e973ce20f88813d6562af3ca606fa0d43ce76a25f86f7ff6da21a434d4cc5e5399860cbe2983de7ea81e86552225df23ced492da

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
142bb2c8b64e1779099978282cdce082

SHA1
b2bf277296e106ed10e99bd7f18553fa86c7fdd8

SHA256
6d45944dd73e52e9a1b87bdf8af50f6c77df348ca8239f9fafa41e86024fa898

SHA512
fba0db07d9c8a5050bf2febbd8acd940f3979da9412a2f32fec066981a6f0ee1fbd862c3a1251ec8cb3c8afbd57091a995f0b3d2e55764ecbfffe7ab11530266

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cdf061f6a96da4662d2cbcb4f6324fc5

SHA1
93268a673d93f6ff2066d299197fb4b2702a7657

SHA256
b437a374a8790b156a36bdf765586849efd6b8e3d2298f4717354631b40041e6

SHA512
919d916abb9715b55635003114decef7f5aefc8c33f8d337441f9d8b96e03afd21391a1bd5c712d910f6cacb3c6142dcfc7ba36e4cfc80a351b2dbe68e541687

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
996e8fbf1abcba665d29a71b6747df54

SHA1
bee5f6d498b997af1e9ae42ef4a35fe1f4894cd7

SHA256
e1c97db5a1b333135b7cb9b54e33043fc7f83dfc1f37c47de9f566fd695a7961

SHA512
835aa0543d9d95e72271252e08b88e19a1e65e42e6bdf1f541f8e447a73eef82984d210ee964d62585e2fc486211471cd0ee00fca5d42f0bf5623e0a0edebb17

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
120c9148c58cae6a0936eacce5ead9b5

SHA1
f3992f53ee0bce9444af48e5077869e68357a735

SHA256
2ea76b9b02876ecd0d187241484c16844c1288cfe908a65fa1df0ef9726f3ee0

SHA512
3228829cea3eb6aad970db3d22b752505699edcecda565e64007951bac7dfab88f90e2e62ba90130c88759d40d36b7b8a6f9afc749360a657c932e7e828bd0d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1bcf78fb899bf2fe86563c58ae1afe50

SHA1
8f4c88507f93054ef2a93d82933242a73eaacd13

SHA256
8ca34fe348215f6d4427ec5e4c8fab11dfa52d8bfbda4109f2a74f70d07971c5

SHA512
1c6fbb33e1c5af969ea99b3882de095d4b5e66c3456baad825a67726000959d2872b4779797f9416c5c22193013694c8bad055fb84e7ce647033315115f30f04

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b8730c724e8020fbc48ace6c3ed8e60a

SHA1
cce991dfadc0afe43a7992da69ecd3a566829fd1

SHA256
58bc616430bf9deff5f95a6e76c635df9a1d4f781245c1becb15ff1e7431e339

SHA512
0ca4505c7439ed1ce47e4eb4f334b179bb2203b492ec67672411a87e92141ffc4fa3bf76c2c2f17115dc95d661a84561fdcc77e38250dad0b739cc21ef479a44

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
2ffea928bf0919edf988ddd89ab9ed93

SHA1
49dc3a576f774e3d6f4b1f3f2d43739c405d6bbd

SHA256
04caac8fc66ad643cb0ae7d90e7a2ebeeddbe4bfd0c3716606e26d566f1e0f9d

SHA512
6cbf86b4cbdceb016dfd785ab7ea6ac42f48637a4440db1fbe66f9558f26ff5260640375c240ebd2dd5c7b092d2ed0b43eb63efbb4bcf1581d7c2930f4b6da1d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
76ef4c1f448ea9ba894edf1b3fc43cb1

SHA1
5ff4f3a27c0ab7f01e75f4bf450c8df7b90e57d0

SHA256
b9332a04db3bc5ee12c482c0ab91b6dc2c625e70aeddf565d6b28340605b5006

SHA512
6a4469a1c7cd17e1bf075cf07d56c8334dfb1232fe0bfcd3f78629df3510034114b1b943ae8f9d02d79758ac7a2edc5671506e414047852304c54ce339919b2a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
40cdd5283447c6740879a483e294d454

SHA1
1c80104f3e2c352907705ddd17d788b8441cf690

SHA256
59b75f9f5c4dbfcf6d0c2cb44be9e4510ed5ceb28125ad2f270a5ed4c53d91fb

SHA512
a0bbcdc31970f76b7ef6afdb74dce05b01f42fbc1b9a21c9de1f220832f480f145a34ebe4454e76615efba2671c4e5c5c113df6b17d4896ac729a0a78b3d66c5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
116e05e77531e17bfb4f41037548c6c8

SHA1
7d2e837576649a2bbf24f87c8f3edbe0f5f9439a

SHA256
6ce2c8dc94c1c7804f266870a3082823ae1a2c66eb4a67b04725aab48cd0fa1b

SHA512
408fe5654acd3f01a7cddca6364037306928fdef91350ec8e96fb7604d99e17933b81bd4c8dc7b2c2479e48eb3dabc35d6c39af08d074f140f8a89376cfc900d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
ad25ce06b747b259a08f643adb06aa27

SHA1
cce848329895b60c3288c0dc456a8cf98c513946

SHA256
f8c2461a35b15705454ed461e8b62bdc6b3bbd39e20be443c845a5acf5d72ee2

SHA512
70acf5f61df0c7de93d803d5be17e2c955cc05df5696e5ed857fbc3ba986278f4de9cefffa292108816b0b48b705cc5c50a9642a1dd814921f8201cc9ab71776

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
119907c753862956ad8894d4c80121f8

SHA1
ccb7a40ca3eff0f0462cec1827f8390477e78790

SHA256
5cfdead470734ec872dbc81c99180650c0df2195c3ce27c11aa4047b3c1b749a

SHA512
d10c90fdf0a629517b6af30fb54100b2b706b969f28039b74d7ecd14b7961de2c736b5fece44f5b18c22a8c98177eac700913873c451cded2a8444cc2588b330

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
367d62f7a4bf8a48502ca53ce040d2e8

SHA1
3e55cf01ef37b13fa23028e6f8faacea0c9129a6

SHA256
6f6ab98370505d4a3bb518d64611a91b8283ac2e3c5228b63f4e26c1d8e2ee55

SHA512
74dfd585d907ba636f36d8ef963dc59f16645e74619e880d82e0559991ce8b9100f6c018dfe23837016d724915a8f2272fe8629bc97e90570223b9d0a01f5ebd

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
073046e743a5010be5aa00f9b4b6fa35

SHA1
b3a1ed5822b0c0ac11ba38c33908242a5cca07cc

SHA256
db3d66f7f90cf5dba8777aa74933f61e10f3b973eb19dc7ecf20a0baf83517d4

SHA512
217b5b9bc31ee4837c5e6aa94622e703c6593f3c1a4f4f6c5144c1c2948fbc71401f5894406d6c3799196f6d1402911243c8fd7c67da3b4bafff2ff2f2cb4ef6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
97033770210c4939c9f3beeea6b5d5f3

SHA1
6b0029a7cd7eae89ee0a7e9afe3fa9a457adecec

SHA256
dc554df1d35f7e2e14c88aa37d2f6377812a273a19857c6077087ba0dbff9ce2

SHA512
87db870c6fab5e66379114775b6b2afdb75fb0d84b02391cae8d79cd8a1ca49e1445e05227cd61e34e6faba19d42a9a3f2cda2f175ebe3718397c7fb99114fe6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
41f588f9a6bbe69e97636d2d78e07fb1

SHA1
cd6efc0084b1157538eebf2dd88cda6e0f68284e

SHA256
d33d5cd42732d0a7de5df7c3b0d75da9b3032bc2a37614c0330cb09478fdc529

SHA512
0d8d33ab993c9346f34c0ef4d885bd85f5664dcee1c81820a444c3c78204e08564c8db107330532e3c735b0edb836f35d91a9b437f7546e9df133c2baeadc600

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
972c4efb148a361804b7042242557463

SHA1
7cd01b2b8e25068dda15c592d319408db2c53ddf

SHA256
e1fb5613c8036dd09800c62fc24b39ab01b85795d4e8881c95bdd9ed717e6e31

SHA512
acdeac733ebf239a5cb90d58558cbdefdd9e8cba65fc4747385ad16b67d67fe910de67a54024bdd818ba58172c2a5ab8a8e05c3d0032f642bc183b889ade20bf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
0bf946a71186c01d907511b1ce4b476d

SHA1
60fe2a758a8dbdbd5bd05151b9d8a47620d01e74

SHA256
7784089eb18cb993288da4e055cf366b97cf32720c5d3111052721908dd2bbe2

SHA512
1d6db3d2562e2dab0ec42ba6ba70d84f0051a1330233f5a74e5e43ab5c9c00977094ea0c6e459edfa5086a90a34129d1b330ddfee969cdcca30a95816e27bbd2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
5671629fa83d95375ef3326f56d489e6

SHA1
af2cedd37cf394a437162230486016ecbf414fab

SHA256
fefb6aac9df06a05458c480aaabb4ad618e177cdbb4620db39bd3e64242f09d7

SHA512
b4b8e7f536e33ac586754823506afd9d732eccad0f5fdb41e151d39630cd202c6e8c5be465ce6efccb048b0a341c91a8fa406944a6fc99f09f1528b6ab576a66

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
1f45de8f18b1aa06b3409b10dfc07c1a

SHA1
e496db4ff94b86e60bf63bfcc3043c3bd190cbab

SHA256
f3b32174dc1b69458b38088bc660a04334c128be1c9c7f47f90761e0439224d8

SHA512
511ef52316d9ebf1af951ca109e5c687f703fb36504fb78a48209726deb00778dd5c453980702fa927bc9094c182668567bdc3a545f90aaf8fdbd402ccd42f74

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
5aee394cf464f39fda314ab0c248e426

SHA1
3e4dc2d71d8813ff27bbb71c08c242eb3f29195e

SHA256
229b0c0ec5fc706f465d926817d0295aca3bafac0b225b1520e4bb90493b3b72

SHA512
94a5e02ed2aaa45b796dba6af0f80f5c4c0bf9fc3565f6bfab94784c1ffd6558d71fb3093631130f76f8571020b72414f7e7f69453dedddee427397b273d579e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
34ed611aa1d5c0d9803c15c3013361ed

SHA1
2aabd8fd33e2a64e3210daec3ff70ead555e1e3f

SHA256
f55200f23ba57023a26ea1edcac619b65a902cde5e8f42b1d501c662e6a62924

SHA512
05eff4fede70ed9de94cf0546e0b36d3872c0d3aec201e0bb9ffc40052f28c86639d1f3af0aab590a3f0a01128ccf382b33df24de154c7dcacab3bd67a3e1c52

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3d972c9ac1e405d50d216d4387d1923c

SHA1
7fa00024a3114115ff0775497fd53da1aea589a5

SHA256
c23b7aca52f25b2c52a80e5f6be6289574a44be1c905f09614a63ac14828e316

SHA512
13d090a0db84e814af19e5cc161a63e0d1f6e38c1a447fa6c5a92267f0f1cdf5cdd79dfe73451bd3b7efc1dfca3b29622594cf097c2545f678370c13fabf17a1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a2c8a2ed09572fb84f19f62f5996483f

SHA1
c1bde7678b0ff6714f304158fb37df873d730558

SHA256
4dd5ec1824d739f87acb389bfc271a148ab23e32d685e0bb5866e95a57de6e29

SHA512
126eec82598134bcf94a1f7607d4dcc44e34e17f56cc65eed1ff18b22fcb64c48fb8cacc79ce88e3ea8f7c9ac1858294d94453d0a485238a3fa62939df08dcd2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e5136111dc2f7a587229f586a0d886a4

SHA1
a2eeff0c95a517619b7dbee5c2ec9795cc895784

SHA256
dc7d6b1bf4d43278151a43a3c155871f445f317eba73a02f7af103ad284ddfb9

SHA512
3b1d2a8adf398289a84e28b695baaf66a6b68e7119ed428948baae27238eea8f79481eba70f80f2b6a0f02e61476522033df7c69e12e65c7bf712779cc9d06d1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7c46050f7979ccdefaf1594e6666b606

SHA1
4b85ca5855b4f70931efed21b805b453a1d391bf

SHA256
964c47d11baa793470ac01d7b1454e6af7db120bf7d054ed06976e7ec174fc18

SHA512
92f7d929196739fa843f527408420986ff6404d9310eaa06885b9a1fd374010a64e435b2bc7837c5e7f833d9ff764abc3d617859fba63dd7ccace5ad24e91e2f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dc78194db571192a530c85d13dd3170e

SHA1
7e2fb439fe3b3c985f869c81741fc7bde283ba8e

SHA256
89d889d48eeea92203639ab277ad17393dd082a86a673d93d5303f76532b0ddb

SHA512
5dd855407ba41d19e78facb8d80015426d3a90e64e7e03b1e10b3f47314839f5e8493f84b0096ea9ff033c76fba322577e6fefe0473aa0b3305684c1af34a56c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b8ff5792e922ec7222679e0e2bfca880

SHA1
47c7623b7348db278017397c58382464b784e3ac

SHA256
30284fa94bc34f31ba406cacf1c32b6b760bbe8dfa12ac211a7af58d136f6e7e

SHA512
cd3020d584afb342e841229cdd549de4488cb8e4eca097df16637907eab17630f288def0653216e449385279d022f0708be0079bbd152a022bc2475ef3cf92fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f9b416d4bcc6189aa31f0b0e15d4b506

SHA1
c8cddd68d1267c9ed5a10ac17f9b2817471c2fa9

SHA256
baf1b5263021acde1cd7e29c9d46e826e07c44e918a749ef1cb8d49bbafb786c

SHA512
c43904f5625520fb90ee05a3cfc88a20bb6386bd232b6aa6684db56825c8ae8e0fd1cba92a46ad7f762e1bd29aa30dd165327a95abd0741e9251a016c526acbb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f9b416d4bcc6189aa31f0b0e15d4b506

SHA1
c8cddd68d1267c9ed5a10ac17f9b2817471c2fa9

SHA256
baf1b5263021acde1cd7e29c9d46e826e07c44e918a749ef1cb8d49bbafb786c

SHA512
c43904f5625520fb90ee05a3cfc88a20bb6386bd232b6aa6684db56825c8ae8e0fd1cba92a46ad7f762e1bd29aa30dd165327a95abd0741e9251a016c526acbb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
97b01e5e6c584faa4fba005b3a58bdf5

SHA1
71a531bc3daead99d5341928d04db5d984dc3955

SHA256
61902639900a85f42ee537e4f0f6e4720bae57317da7656bfc77a9b52c5b2b86

SHA512
fd743fb57fa7e4f7d46daf93a10b920c24d4110ade8ed1ccf2ee083da8134b15045b6e35feeec08c791eb5699664ae63097e4fb743c396cd6ca7fdac94f28cea

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c3bb34d327b108a5987a7491c1d89385

SHA1
29c68de41eabfa7b8c4dc25bfc2303172b09a691

SHA256
88ecea957f98e7a1b5882cc9d68efd4cf8a500eed1e53fb8d69ddc5235e19cbf

SHA512
496c8640896a0e7b5ed901d26619a66dcb216dfbf2fee483cbb4393ee68a1f6504f2ae17e77f5db4ad56cf58bcdb9c37c3032d13777242f61a3ae1408439a49b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9bf4c5e2dc660f3f08d45d3d45cca55e

SHA1
ec60c1cacb94a540fb4e023eca3936d91a5554ef

SHA256
206e888c225eaf70d4013a207a78b931588ef4834002bbc59cb8e11603ec2775

SHA512
84e381de658a325f92253793370dee90258ea85e1c31e62e8e8707e6ddf4ffad355a3c2580c19e1832ca397d3557d196fcdbdd86af71c42a319d3e685cc492e9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9bf4c5e2dc660f3f08d45d3d45cca55e

SHA1
ec60c1cacb94a540fb4e023eca3936d91a5554ef

SHA256
206e888c225eaf70d4013a207a78b931588ef4834002bbc59cb8e11603ec2775

SHA512
84e381de658a325f92253793370dee90258ea85e1c31e62e8e8707e6ddf4ffad355a3c2580c19e1832ca397d3557d196fcdbdd86af71c42a319d3e685cc492e9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
840e1cbd3a8ff1fe657704ced27161bd

SHA1
2d7a03c89838d590c0aacdbf8075567c10fc1ddf

SHA256
b43929262aa1627666222cea0ec64f360401923572c3f5c42478b5c32ea46b19

SHA512
2680a969aa8ad524db151fd76ac9d1f31d7c35380dd8cc2f0894458a952a7c474295dd43a7ea254130c74b1524c0709bc69c81d7a1b1c1cbfd9dbcc7abfe2072

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
38219c8501ee5b027a43e02940689e63

SHA1
8abb2d30960c9d4cbda859654224907d49403811

SHA256
1225556886a840e12138a9fae917af740a1e8e690a0ca15779c0f0d4c82bf478

SHA512
c8534138db7f453757988669981229cce83679eb6d7adec008cd0744522a770040099258994384962d066833dbd6df28bd2df19e12ee05298baf3b626988afdb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
37b03d665e89a839e2f24bd7186daf0a

SHA1
0ad8e8284e720f9ce6e7eed99a02f35851f5b2a4

SHA256
7e2aab29bda14fa78c5e5ef266ce65719c7f5871fcb0065321c17c432149d269

SHA512
fb4e669689914ac25ddd9a15efe1265a4f2641c80c7c3690f047971692d49ba418028fcf5904ce95f54be17fff61740bc124500e660c4528d84e74f2b1f951a3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d35cf07bd08a501c6d8799db7780d841

SHA1
15e511931528a7a92f9317fd5153552bfa566137

SHA256
d6aa23c2472c7b39da3aa3f894f5d4787f023a2d9597499d0164d060bad78194

SHA512
0a3afca782a3eee3b1126009735d376b192bb22be81ad8372982c939b0dde08c59f9af06cc95b648569ab72b11f44421a7a520e681f4e752ff8470a015dbdad6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1098fcdf8da85363bdbd14036d5e49de

SHA1
fedb243e1b0d4cf02145bb5d86fa8e3bbe3169a6

SHA256
45326bbfe9c94dbb3ae9b27cf2f8ff18292ca41bb77f5e56c9cec3f2e753f611

SHA512
8848c52dce64644e071dc3257ed5cf86f430b497065d8cb80ea4ae4b2eb786d8ca1979f8bf79e40746665d374fecf256320c424f0649ae110269dcff888f6065

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b84693bc97107b8501f5a419344b3705

SHA1
1dec0af95c446d46849a12e8a1e14f3e69308a8a

SHA256
d1e44568f2dc7650b714bb9caf7d0826d94a7ffd30823c0b269e33e8aca0d9b9

SHA512
a0e0f682fcdda41f9d5ea968c506d1b547194e0fde95cc92e7cc730df1782c32584c41b6f2cf242f2d8945ff1f0d22c6761db04964a6556c64842812672446dc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4e36ff856e4c647980bef20252b5527b

SHA1
2567945018c71a1c416c492a404b35ece2d5fd3b

SHA256
972cf7723ad88cb02cde92e328e0a7e24e5c4db6be770cbc42ca008421b75467

SHA512
2fa1cca70aaa41c764c7492e110d0ac4eed6532ff5567e6c22c08b4031b685119e4b7d07a7c5babdba140f4cd008fe8ae822ecbd844c66007dfcca9f13760ef5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
741a54bb6bdc8e6ef253c305eedb7422

SHA1
8e1d93051e73141ae6af70b968e3986325fde305

SHA256
e17b7bdd73ed2fe2a98b685433a357be3c14e5a1209f62ed147bd5c94bf49996

SHA512
cd674d11fe3741f5ea8202392e85d026c7ea5fe305c065f679d7dde258528c879af71f709d19c875a8c58ad64f5f84e8b9d46ccd4530fafcbc2081af2e8ca6e0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
44af55e64f5aa442cecf8567a76a40d8

SHA1
48f55783e0276e4cdf03c483cf0813114fea9abe

SHA256
0e1bfccf623627bc12148f929335d67feff922176f578ae6f45dbee670dfb650

SHA512
a3db8c1e599d5fadd4936614b674340bbb177784a0f11a4331e5d81aee709789932aeca0b89efc782814d74a2b257381b5bc27a9260f1dd963efecf1dd255017

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
e5136111dc2f7a587229f586a0d886a4

SHA1
a2eeff0c95a517619b7dbee5c2ec9795cc895784

SHA256
dc7d6b1bf4d43278151a43a3c155871f445f317eba73a02f7af103ad284ddfb9

SHA512
3b1d2a8adf398289a84e28b695baaf66a6b68e7119ed428948baae27238eea8f79481eba70f80f2b6a0f02e61476522033df7c69e12e65c7bf712779cc9d06d1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
41147d5c1b89274b5dd0c9b69def4c89

SHA1
4a7ca06a03ab90b35164f9b1745f84216076d228

SHA256
179c13a4f2b035af41282b9f4630deed6f0ea0218f72ac03eca3226a01aed893

SHA512
348d72bc0a489f7357542d8e536c0344b0fe63721cafa32a1bdd1663cc181bfc320f1aabe1276114b0fa200986d20f1a585940bbba45be73742d08dc706718c8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
53e60de25b1def62dc80bc95fe0cf679

SHA1
5121df52bb8d5cfd56f3d1a80d7381d5cb3cce08

SHA256
d4f72b8260a3e1b1efd0f7a6fc52c662018f6ea407f1f51e0751e85b6aabf8a2

SHA512
b28d22d1f6a6ed6f9a0b23025a8eccb8e05717c80531d933a36929fa485d893372f8b4b1feaefdd7353d715d305ffad8c28356408f51b9a7f312bab77c3c845e

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
dc78194db571192a530c85d13dd3170e

SHA1
7e2fb439fe3b3c985f869c81741fc7bde283ba8e

SHA256
89d889d48eeea92203639ab277ad17393dd082a86a673d93d5303f76532b0ddb

SHA512
5dd855407ba41d19e78facb8d80015426d3a90e64e7e03b1e10b3f47314839f5e8493f84b0096ea9ff033c76fba322577e6fefe0473aa0b3305684c1af34a56c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3150c40e355cafb891b6a7b56ae2bbeb

SHA1
233640d376c87690a17168b7e6de594cf46f7724

SHA256
f0f353ea9e293a6b591c8b88cc94a5d823976c46593d4ad1ab43290150916d24

SHA512
c03779fc5f6af08aaf734219a2f499aa6d25ef3beb0b0093906e07ff0e3b80f5133f5160c2baa07890ec0a4c1d28a7feb62371ee88e07179c9150863d90971c3

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a482229fe2e100fdf95ea5a9044e6728

SHA1
3dd7298518b144262c16429e3b543dae7abac9da

SHA256
b55c220e748fe3d6dda3efd761964b095ed62ae2d99bba06b2b16c63532ebe5f

SHA512
4c40ecd713bdccc67741b812223ec6633975e93184b98c2ae9cd81f882ac85dfc892cac9b12bc9c63d9bbe01909ba9eecc0597fd80335842cf9a6b7e3853d978

Download Submit
memory/1020-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1028-135-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/1028-139-0x0000000007040000-0x00000000070DC000-memory.dmp

Filesize
624KB

Download
memory/1028-138-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1028-134-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/1028-136-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/1028-133-0x00000000005C0000-0x000000000073C000-memory.dmp

Filesize
1.5MB

Download
memory/1028-137-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1368-615-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1368-327-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1440-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1440-349-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1464-203-0x0000000000D70000-0x0000000000DD6000-memory.dmp

Filesize
408KB

Download
memory/1824-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2056-712-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-719-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-718-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-717-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-716-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-618-0x000002441E770000-0x000002441E771000-memory.dmp

Filesize
4KB

Download
memory/2056-715-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-616-0x000002441E760000-0x000002441E770000-memory.dmp

Filesize
64KB

Download
memory/2056-619-0x000002441E790000-0x000002441E7A0000-memory.dmp

Filesize
64KB

Download
memory/2056-626-0x000002441E790000-0x000002441E7A0000-memory.dmp

Filesize
64KB

Download
memory/2056-714-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-713-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-707-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-652-0x000002441E770000-0x000002441E771000-memory.dmp

Filesize
4KB

Download
memory/2056-669-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-670-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-671-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-704-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-705-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2056-706-0x000002441EC30000-0x000002441EC40000-memory.dmp

Filesize
64KB

Download
memory/2156-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2156-410-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2172-176-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2172-170-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2172-184-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2200-408-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2200-631-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2368-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2368-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2528-627-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2528-382-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2760-573-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2760-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3152-186-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3152-188-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3152-180-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3152-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3152-190-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3688-461-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3688-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3688-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3688-144-0x0000000002D80000-0x0000000002DE6000-memory.dmp

Filesize
408KB

Download
memory/3688-149-0x0000000002D80000-0x0000000002DE6000-memory.dmp

Filesize
408KB

Download
memory/3688-164-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3772-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3932-347-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3944-324-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4240-234-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4240-552-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4240-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4428-229-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4428-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4428-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4428-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4540-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4540-489-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4540-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4572-195-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4572-201-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4572-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4572-533-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4712-602-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4712-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4940-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4940-162-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4940-156-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4940-463-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4948-268-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download