blustealer | 914ec7967105f367c2c14070b9c8b338354ecd2747f8972202714bb3668f39bc

Resubmissions

17/05/2023, 01:49

230517-b8zhhacd81 10

17/05/2023, 01:12

230517-bkztcsdc42 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Size

1.5MB
MD5

67683d83541b578498d12ddc5828260e
SHA1

679904b6c6101f399811885b42e98c4c8c564e6e
SHA256

9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680
SHA512

fb3080919598e0bedaa3b429e86f498bbbfcfb257a9c92dc9f6c197e2da9bd17328cc762bd97e7cbb770f0d6f1e8c8c05107a59f6204ce8ebc5ad4996e8e709b
SSDEEP

24576:sLOOmjfJ7uGyhgAzbOQ31ubRVTkK09CDg2bCaUwFDyfCTdNuuVIF/gwqb+:sG17uGmPOQ3oNVTkhC/bCaUwpy2wuV32

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4256	alg.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
1948	fxssvc.exe
3404	elevation_service.exe
1448	elevation_service.exe
5028	maintenanceservice.exe
4152	msdtc.exe
4744	OSE.EXE
1520	PerceptionSimulationService.exe
3736	perfhost.exe
3216	locator.exe
1640	SensorDataService.exe
3040	snmptrap.exe
4120	spectrum.exe
2512	ssh-agent.exe
3580	TieringEngineService.exe
1996	AgentService.exe
4928	vds.exe
1340	vssvc.exe
3476	wbengine.exe
2096	WmiApSrv.exe
4976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a93afd31c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\alg.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\System32\vds.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\locator.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4892 set thread context of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002602dea56d88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000657331a66d88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8463ea56d88d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000339c38a66d88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2427ca56d88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8193aa76d88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db098fa86d88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeAuditPrivilege	1948	fxssvc.exe
Token: SeRestorePrivilege	3580	TieringEngineService.exe
Token: SeManageVolumePrivilege	3580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1996	AgentService.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	3476	wbengine.exe
Token: SeRestorePrivilege	3476	wbengine.exe
Token: SeSecurityPrivilege	3476	wbengine.exe
Token: 33	4976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4976	SearchIndexer.exe
Token: SeDebugPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
Token: SeDebugPrivilege	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4220 wrote to memory of 4892	4220	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	92
PID 4892 wrote to memory of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98
PID 4892 wrote to memory of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98
PID 4892 wrote to memory of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98
PID 4892 wrote to memory of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98
PID 4892 wrote to memory of 4440	4892	9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe	98
PID 4976 wrote to memory of 3552	4976	SearchIndexer.exe	120
PID 4976 wrote to memory of 3552	4976	SearchIndexer.exe	120
PID 4976 wrote to memory of 3732	4976	SearchIndexer.exe	121
PID 4976 wrote to memory of 3732	4976	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
"C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe
  "C:\Users\Admin\AppData\Local\Temp\9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3552
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
087abbda0cb7768c7dffd3cf42d46f9c

SHA1
076e9aa354463683d8bf2f9b1599cfb030523831

SHA256
f9e84db075cf5f5255fa5f7c9295590e8a574cda133fb400a8db87902d57ca4c

SHA512
bb66cb02dfc90dff6a5e6312709581a4d1472c6a46fe33f8d1a7fdde9a7c286690231264367a19bc4f1949f89bbcb8201fcb20eada59645265a9bb51e1a4f246

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ebea36acb7e69b973adcd2369c3d1294

SHA1
d5525ead659a864dfcfa264692c1a56fe929d1b0

SHA256
16018b81f68f4122f6ab755c8fa6d4cce070bf8c5e00e4d2e8f5907acfe61ff3

SHA512
f5646aacc743e9a3a93e0af5ecd06e0c95542c540efaefcb4107389071ff7f678a1cf8f1e74987ea29499c84d3890cd5f6332d9da6544d477fd1a6611f159406

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ebea36acb7e69b973adcd2369c3d1294

SHA1
d5525ead659a864dfcfa264692c1a56fe929d1b0

SHA256
16018b81f68f4122f6ab755c8fa6d4cce070bf8c5e00e4d2e8f5907acfe61ff3

SHA512
f5646aacc743e9a3a93e0af5ecd06e0c95542c540efaefcb4107389071ff7f678a1cf8f1e74987ea29499c84d3890cd5f6332d9da6544d477fd1a6611f159406

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8c9a8311a0a1e87f6031a18f87169409

SHA1
993400bf7e54c25b273001df53d9704ae7230ffd

SHA256
d530e460f45fccc3e19edfad803ca9d2f76b0a436987e8649878870d30bf5dec

SHA512
6f97120beedbbfb9dc6e04ad0b51771bbb965400629f9f524de85daa32fef6f6340c174df715bdc6dd7b6a60835a56787dc088ac66eca3a8025b7ec1c67cfe2a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ea63f8ba10b60a52d3fb972e1b5778ca

SHA1
96e93fdf678805ca567f15fc1eaffacedd422758

SHA256
044750dcb5a9a88a8de18e63cbf6140bd6be5ec8d5a220657702ba724a6cfdbd

SHA512
dc919bcbfbf61a5df657338cd2720ec5a1b13561d40540b7e4152ab7b5144433ec5a0c47cddc9b2c24639b177912db0df83aba50f521468094565912c4d59a09

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
a3baedbb8550f4cd45144bf7c66de6ad

SHA1
f5806206ad297a92bfbe0a344918dfcc57b9768b

SHA256
7b87a395a21bc560df44d90828f7b0ff7d3aa48a5f779ac83781a9374f32a1d5

SHA512
de8b9ce6a3ea5b7e7efc04ea26c69f8f476a26c9781271abe38a1757dda84b288dcfb665393ab0b8fba73b27a82e5389b0942572637f58a6492e8b3a40518167

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6108dbb901fbf29dfa0e423c0c10eb17

SHA1
0d87614b794d9f001ecd8edb541297513cd8b595

SHA256
35d97f85e3cffbe79a02c6da8982af7afbedfae6bb97607475728dcdee6eb56f

SHA512
b00a352bdeccb0bdb1a246852d562d30cb95a151d0eb6f9f7d1932cd3837977165598161ac8f31b28ff2c9fa6f17461378104348b28925ce622cf2b0ef20d210

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
1d6be3615576a5b0a2b0ccdc191ababe

SHA1
871f4a64e087a2c47296e490dc97e9f7d2b5824b

SHA256
fae0eabcf0d59266642d0e726a8d430427be3e1ef40090d17108d30edace38e8

SHA512
bce13d9a88c57828a0b6d4e9fbd16322a125adbd07c3c8921c639b0d62015b60c4c8ef22840dbcd4fcb77b2cf88fb2a7cf00edca888dcfd52b1a6f3b11506751

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
12c63b6b431dd3cd579faef71ddc484d

SHA1
6aa67dbfb34c27750ac810023d73f7e4b3ebca5f

SHA256
79c51b05568519528a53750069e03fc3f9b588caa48916db681c32a3fa9ad7cf

SHA512
1f440fb3bcfbc6ef4ec277f298f6ed04c3ea3292e4ec3311055f48b5c7b6181ccee82ffb61c66d5cc216620f8d71c35093daae8c67735fa21f292c49133687d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
fd3b97bfc7cfacc2953fa41f7691bf3d

SHA1
f3266da44c3ff1573763ccc85cc698752fe29c6d

SHA256
1a1e8a82124d540052e250c6d189e4a55ab26f1bddf27c6b5e361c0492e73636

SHA512
248adae3a52f8b72cbd22dd4a7d15b23a070feddc0c08503f7110c47996010d7a7f82a8d9c3aab113c9e934dbb2e0917ed3eb1f776468039b751f1362ab17b6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5230c1a410bd840c3eae6068e9422dea

SHA1
ac82cc683e28d76d955edb91f57bdabfafee652c

SHA256
ae03cde15ad30de0dc52151c4be43c8ac853a49dc52f606aca3b52ac0dc3179a

SHA512
9a9262f15004d736e4d88d0cc5d43b3a90b34ad29de8cd62bbf79713566715bd8701872b5bbdd9da0db637ce6b2e0810157710dd8d29ebdb2383a95caa8a47c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0b68554ec78123bb0161f93e20b3ca79

SHA1
d1a0042f423fefdef5ad9b37c59d0129e9a794c4

SHA256
01a57d4d42aba7df30d910e90d42e1b980cb106f33e825fc5eb97424f61f5bba

SHA512
77498791d9baf798166fd675d1c21e978c33f3f07205883a689394cf70132cfdde343acd50f7a866a27d506010b95639f2188e6dd083203985a2106ca957f50b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0783d413117b75f8cdbccfd4ddc231e8

SHA1
e826d1a869f46491515fcded795ccb98cea90305

SHA256
c5a2e35a6ea349e6fddb396eb0a196a1083dfc3b84d211b87fc1a18dd652bc98

SHA512
c6ca495e34d3d0a3ce8794841e111d48bbac0e1791d5bfad26f9fe93a9fc2ca3e0e809e480bc0d40676af3ed0c8dc2e50f9adf4a7869eef0b50c468a53c93bb5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1d7575ebdd331d5cc040c0c6c48b4ab0

SHA1
787c5dd806360c5c114e01a59b02399e6e035754

SHA256
ecb9466c2b89bebca6d5c1713d8342e2d914070157221b6bebce6a381115da75

SHA512
14248bf226468e744db5073060bbe1ab77419c857ce54de4e7b264dbe73028b8750767f082ea9675e4fef3796a5ce289b809caa4586e52e7fb73f8c39e94a3b4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fdfa71ecbaeae0fc185dfcc13753a9c2

SHA1
ca97320b63590b4821e8a6bd908061280fff7533

SHA256
538fdc8aaff39a19d1be7ac502fd716baaa1ffba2b0d17b9a5fb28a739d132e8

SHA512
abf1f6b3a3b2d428dbac666a173cf9ce9cee093245d0f8ba369e0e00b5fb6385b2ede67fa470419f31069c18d3c19de7d93e8bb9153044d7fb38a70d15e6c6fa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5d2492cb6c16683db87c6910691f1915

SHA1
01b827d6a3611780128cdfa0cf5efde6ed69bda4

SHA256
f88f755abbccbc5c097f67579aa70cc87650258b149815fba8c09239f4dd48d6

SHA512
a2e70b616a5fcbf4f4b41c9096fb7219376a1504a6fabd5cff8d87f3127679595b71aa0136922006f1d95aa4b8def12a253e3e978d7f047a41cd360ea18f7f2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
0615cc3f6ce32ef9b93802888abb0388

SHA1
4d814d6af9c2618be51e9b1c0bd983a0ced8c684

SHA256
301df5f7077f5cfd248169ebc390aeebb40065971cf7e8d13697fe4ad6f541f4

SHA512
4fbe89fa91696b11590fa5ca0f618e609875039b81c647c1c462c88b6c6920669bb63417eefffed6e66a78b3e99d31c094f6855e898c29976624bfc853d98a38

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
70ccebc23a2c926914dcdf707273aedf

SHA1
fbac9f4ef8cfd0ed6150314341d687cdf3847e05

SHA256
cc4427760a9af0a5aae4cc9cf9fbfc6219cd592d69b375b4e29f62aeeebfd5fb

SHA512
cc76a19583ffb0147ec1228869f19a1130a74d9e4af7e42b135404a3f2d0747577393e3a9cf731e0389f30c51af3086a1fd544969d587a703d1db59def5caa0f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
da2afe7a25b5d0eea17641fef2b51e65

SHA1
ef17b625f70978fb919631ee3347f4c3e57694d2

SHA256
39ea8e7fee87ff182d4b4e0f1ea907179f33b9b0242cdf24fac944814a41819f

SHA512
15184e4113c24b68dacf698a7c573850889dd2294014b9ade2e734def86da6a06a388d52dff6c9d7a9cb9d64cc0d0397497ea68681eef4a777a3bb3e8f834173

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
06263786a7d5908c7110e93e9316432a

SHA1
4b3979a15ea060497e9ef8929926dbcec6358052

SHA256
306176f64ca8a4f1305d67731283cc3a9d86b2e14908f0b50dbb6bb50cc6834f

SHA512
b58fe13dccceef178bed89141e2e10d6d686421a99778c837576d25bb58d6f760a0465f9661ece299b70b5a9f7a213830a7fc6151a83c5160ecca8d5a2238028

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
a1acb06d9edab525329725ebdd1eda0d

SHA1
d815ddcf93e0e481c3048a7a497b70bb91aec54d

SHA256
70dd5035e990d3af89404135815d9542c696dd4e1a85d3eb49e9f238b9446344

SHA512
6338fd01d8443428a9244a8fbcb35dc882ac36120136fed8f7c6a7d4bb656c3a141c9549bece06678cf76d30b146059e7414f96ab0c28d364d9ff5edce757f41

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
bab10dcc0490dc6b36056e245a82b9f1

SHA1
c322e175c1af243a39f79a922918040050a5e912

SHA256
c9bc2f6a79c0bc1b8ea3ddee0bd87e8a30fd0f3f3404ecd20b23c6cb067c5fcd

SHA512
6b171e15d779312a1d220192174495e6ad28b506aaf5e7282c9054dbce29803857f9cf0c3034b0f622de4b89624da339a30ff4265283f6837a4e7fa102fc49aa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
1db5caeb075133fee953d72e3ae6361f

SHA1
63b8ee5755123c3d16b56f16dd8d721ec00b703b

SHA256
1a08a76ff9c0d99085ace399bf54a6181b2615057e48b3966143bdcca3f82bf2

SHA512
b3b368a7d900be248e0674ffc72e41edbcf178911bf7d5198de8845b3486374e07363caa93cfff511b5a8bf130743d5e5adf633a3b2c57acfc1942c41eb1fcd1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
a20db5cb6de33849b8d10a53f6ae3d67

SHA1
aced2d0a795973d6b67ac6331c5d33b8a8ca42b4

SHA256
49b5cc7a5db0d631b013da9a86c38b9274ab568a98670af78db080b918ecbf49

SHA512
04284f8b01e3d6b8e5a53a8d77d484b3b93c057ceb4694f740e7e2ea63d78afb9815c732c8518a6df0ed4d597bc0673413840a7163e19466c15f04a6c8351a89

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
8e95d81a8df3386bdabce174c9f719f8

SHA1
674ab52b4f42c017d5b32de0b8877a3d75567491

SHA256
69afc0f06d6dfea13d52c09b0c1cce93139baac1e86970d8ee3a22595d2ac412

SHA512
36adde86e4c68c3a55848c3cb20bc4290a25e8c3e5df9a0a08bad5c6258961d873981c3ac106dfc451bf74f5bc7390711bc1240795fc7391912e5612a761de9b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
8798bdf8ac68450d725e3053e3ed869f

SHA1
2aff728ee97992d4cc4f2edaa4313261b8454e90

SHA256
ff33bb671ea80c6bd68419a87a007c936a55687bbd062268094c41f609f201f1

SHA512
a8cbdce4e2b46d71b51527af5ca9dc40698bc2ef73a14a19e3a436447a0f616bc0d81a5b8b3fc057d8b604ccc07d2d18be2e69f479f87b58a40dd77de8333eef

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
83bf6b31524a95bb47d54e9297d49772

SHA1
1978fa396f90cf66311a05ca3f83665ac76e2d1b

SHA256
94d791bdcdfeff70c25691c19efd8b192e142276fcb91fcfe2f937587060d846

SHA512
6b8413accc2fcbfb617bbebfb031b9b9fad8bd1ed6b0f5544694c719ec55188e835f9cbab04918a24d5f676c664760b9203a2980a8a9f14f9c8be3bac37b3988

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
78cd06626039ca3f2f7ccc8bc8a04e58

SHA1
456046afb55bdb2d7e3a9e16c8c029ebb3ce924e

SHA256
8ad8ac87fd46f89aa4f69e89b1ccaf7e76ec13073567f8735fc2667bb78ac06f

SHA512
c627756c284db390645dc91e364aa9fdb9b53dd2c51cee93b98d7635b02575eb41dc766ea2067bafbe21d1866bcf11b122beabd1f7731d570f3b42dedb31c52e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
ea96f8ed81d79ee748f95eea905770ae

SHA1
be466260377d6a178bc851606edbad17a97829db

SHA256
dcc220e55c1e60c386d13b3536ea0df282e01375da754d5131e8c153221be451

SHA512
03ad6ed1fe0b72768cc283fe4fffc1353257137350caa780a6ad22c0ba718ab43a521c900e4c3c66716cfb379a727faae269a4eff112444b4d4f53d9a03da6f4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
30a59a63b3c7a0ab1235be32ac5bdfc9

SHA1
78d57c25717e121d2780d87c78deb7a48a11ea3a

SHA256
e8e8bea5b211ee488c6fbff388ff76e6fd89a435406dc97432894c620e59ff95

SHA512
61dd7e488022c513f24f6461f0f323be1651458f052f8fa23ca054a200851365152d82e1b93d3a942f77c89e87d29f474549de52f9f8af8bd393fa33188bcd9d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
50beb8d134c326109e360775d6589537

SHA1
aeb9c01af35196351f495b4ad559c8cbe1082ece

SHA256
cb8926d73fd4b6057deb5e353ebf538a9bddb6a35ed4086a0525bc7cad8ad3cc

SHA512
7652bfc75e5d045382c701f52da7b508488dd2c441741a8dfc449ec6f592bc7d6df30c7c2d813ec480b2a7dadea59a1227e505ff74b2951f0393f139ca6db070

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
083f2ae18fcb19b35cebb0afef29741d

SHA1
e83038f352732b972864a5f9066da8b44fa4c79c

SHA256
64ef1b1d28f3fb24141cd158d0f09cd99c6a163c5768e6a456458d80ee24f53b

SHA512
9ba44adef482e7ac1facef5699798bd9f945b0c75476cc48718a52a4626a5cfcc9fd2b3a6395f619d3db0dac0d95b8041bc0de8fe02b204f811f55b4b475dff2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
369c27d2b497702140af459e1d1a08db

SHA1
10de66b4bf41f5c7b7c9a03e972b059f95bb10fe

SHA256
94904b68f9362d2534286a5c5d1fd455b6df9472c36b9b8872aae0b5ef3925bc

SHA512
729cc142b407bef22f1bce3651e1813524cae1badfb15f91ead91b765794afd34cb2029417cbef06839142417f13ddee4deba88f0c85b741c1517554f5b78c85

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
22360770cc5f80c303ec03651945cf72

SHA1
55aa5e6674f54c94086d978cd9dd8b6fc3c0e6ff

SHA256
4a7e5eee0e7cc6e24c29c88c47df620e60689d6d7a7fb6dcf5dd8e0f7224dbb4

SHA512
cf43814a944c56878431920eaa8e530dfccd8398d44c2e5f8aa0d50272f87d6bb2a94f6fe0323038797c17f77b1758c36d53333a4744f8cfcbbda2cc21d8ed10

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
67ee5e61e11d1c2ce67c775a24e075fb

SHA1
f2c5776000e2b89638ae6c182f23aa87f69b2128

SHA256
677ad36a3c9f5335d0b3f0b4275affa85db0bf8e94aba11c95141e09e4d98c61

SHA512
ed0824098d9c572000b191f49f87c01f19278f92cea757c8c5bad1df1174646a7d27b907aae0e2b6e67edaf40d74c0c1fd1b6f262b4d50a743c0b9f2dd9f6fae

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
cd6cf400f069c6473554fd2ff6001386

SHA1
4731b586479f327aec58ecfeb3c7337c1213ce97

SHA256
48035067ab4c0921848d58ef0900185fd8b4a2c8a655fcc3cf5243b52dca97f0

SHA512
bcf4048876c86ee55acd8ed08d412510cbe764372d90227cb35d8425357a176cc776570d77067a0f2c989f335e198d03f2f3cb43663317d0d35bd65eb7e9fe77

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
b60500a8202911802c878de147f6e8d0

SHA1
3ff2351bbe2d504edf839033d44f1016afe84d6d

SHA256
3b7201181ae5aaddcc59bc553a7a784e3f5407a230cb75db49862501efe0e7b6

SHA512
3ad98fbfb4c127049753dcbab28182a83b8314c4339f323dfb2f371b7fc02a4e85e5fcc7eb2319690d1a9371d8e528f05d1dc89818c8973c4909744ba5a9a36f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9a7541eebd8d8e3e0e0f11dc693e13a5

SHA1
30689e018d245555e0e4d6395143cb6d0e908680

SHA256
6f89cd4f2e8f5331146a6c28a76162a530496446b728c2612791edd1f6203f66

SHA512
80871c8cd77e7f7b20c86407aa3f75bb472c9fc806bf6facb3657a42622156bdaaeb7f7f2f63d0c4d92b69fd1fd920e06cc49edf14c5adf74f26fcd17be364b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8892be82be258ef1f67d36c4660ca78d

SHA1
93d78d8cca3b4fed1d5a74e221e5c3e4fc2f9a47

SHA256
2ff3f2c767c3040a808f5eea67a31b3e44fb0842d8f88060c144fbc3eb422de2

SHA512
53ca4aa02b202f03e984de5b7b039b4c4dabf0bac843b6b8f6dc05c86a2f32ee79f2c1e8a22702b6c82975b884389e0b76560ed5193dd99e2cb4c1285c40b929

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7fdd139d952032d576dae79108b9d3d5

SHA1
d56b5b362a922a27b128e11c42d71844eced044d

SHA256
297ecf3623a199021de979385d8fea1cf716312e0756faab182b4a130764002b

SHA512
25b792f84da8a8d13744963f9037aa95f6b28d78dd1d6569a83c7bfd19893c4a2227960ab18925506ec87aa1eb84a024d3a476a46fc754b632c21a0c5ac0b05b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fe87d9b3b9f3d54f9aa799707392d52e

SHA1
28d6e02e2a08d821104b0c71368881a8765a905e

SHA256
1039b303d64c2ad5147a3172e822220a084ebbbe8c593eb58c391105a32a0089

SHA512
82c47857a7396dc1cb75e1d287b27d86b9ad44f057b718b1c77b045a841c867158bedd5809d0e9a720a81a63227aa0190d98588f393a32797258d99ad6d0a5a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a191118ef8eb13342a66f514768c456c

SHA1
b00876b93b83bb9fe06a75d607dedcd4135c0a6c

SHA256
ff4390a566cf0241feb1772b2543f28e8c474e19f99065cdcd5d614bd3cc4cf3

SHA512
e7f589f4cdf0399e432927b12f6d2d78d9c626bc948ab759e92a632cb3581457e9695d0bc4f443eb8d2ffa9ed119c323470818f0d6ea7ea74e69285a70507e91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8e7d8b1956935eefb553a19bc8a9f0bf

SHA1
dc263eb25c2b9b93eda9144f1e382393e72b903e

SHA256
df21bd0dbe118307e2385a2764e28b3ab5f4e926ae62a6d3bee703ffcdf5041f

SHA512
3b4c2b695e6d4e589eb54b6346c41015a0aba36919f4d52c80f2f93dec867fb798d8305a065df19bafd2b2ca137a4f22d3c2c4d437be9aa6f612f26343492129

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
64cbb5588366e3173baff93bfcd1153b

SHA1
5e6e2e250718ba6e69a081c06303387683ad67c0

SHA256
07ae9b1ef1de45f53f70deeb15ca5bf8187382e8aa440de738d1154a212a7aa5

SHA512
882d0f5abd382a9a4e277a0c6a222078a4884555f28031a8f04569fea061f8157ed6a7446f0cc8efe5f344195e988ad02b7c9634dacf12ff60ae7b6d89bf6ebe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
64cbb5588366e3173baff93bfcd1153b

SHA1
5e6e2e250718ba6e69a081c06303387683ad67c0

SHA256
07ae9b1ef1de45f53f70deeb15ca5bf8187382e8aa440de738d1154a212a7aa5

SHA512
882d0f5abd382a9a4e277a0c6a222078a4884555f28031a8f04569fea061f8157ed6a7446f0cc8efe5f344195e988ad02b7c9634dacf12ff60ae7b6d89bf6ebe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8a45d18b6621e20f4fef450b026fb955

SHA1
fa60ca8803a179690faa565e33aaf494987e2cfb

SHA256
0fa7218a88ae08e411ce0b53c7126e25ff9a25d667a223a78d1889e3c334ddd4

SHA512
dee469e4c4053d8b8d58464881248c4f4ed698f7ca2311dec7bd31f29cd2f250687c5ae67a961abda6f9f22fdfba25502816f6ddb638f8e94673a3229a706a0e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
54ba744c8ec7edaf8c84e77191fc63de

SHA1
13dda47cfd53121ee942e16f80cb31c5d725009d

SHA256
43fa0353a16a3dc3200562012cb9b0bcc176f388dac97afac096a67fe2653e95

SHA512
75e57aab089e65889eb4909614a955541fbe87fe79245f72d3902b28ebe448c6ddc1296d1556b1042c7d8b476c9cb7932199b4fe39a9a9f99924eb4deaeaea49

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aaf79db5fb52d52f5b2d890561213fce

SHA1
f92148bccf52d44703089cc9a8415e083f0db801

SHA256
8a0e42c3aa194fa846ed5eb3223d4ccdee7919bbbac4497187fac89847341cff

SHA512
2aab33fc3d98287be271a1b8e0d69e82d936800b0e66ec282770cbb3dba5992edcd295ef510af38b4e12859f52a022ffbb728fde4878487f1c70fe014db9dda5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aaf79db5fb52d52f5b2d890561213fce

SHA1
f92148bccf52d44703089cc9a8415e083f0db801

SHA256
8a0e42c3aa194fa846ed5eb3223d4ccdee7919bbbac4497187fac89847341cff

SHA512
2aab33fc3d98287be271a1b8e0d69e82d936800b0e66ec282770cbb3dba5992edcd295ef510af38b4e12859f52a022ffbb728fde4878487f1c70fe014db9dda5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8629043910f3cc3b9e1d02a4d396bbc4

SHA1
f40c272b9458164b4d6c48681ea6a098a303b63e

SHA256
5fd1722737a9dd57c8f63752c2fb8c0ca722e245514853fd0ece12a46d63d30d

SHA512
3c8731c1249ef25d1bf888f1c4aa72e8894291e5926bcc9030823cc508bfa2c74f2836430b2462d75920b8980ff54830431219b792f747416ff81ff0cbf67ab3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e1961048a88af7ee8a370f389b473df8

SHA1
d30a364f1d159788fee2f2380d9bc2d4dba7763a

SHA256
40a9d2e82a403ff21fe60de3b899fe11acebb0ed9cc799ac7a6e1aaf9d549136

SHA512
7e8ba7128d6b82b1302e63dc399586a1480f343e7a82ea56d600ac1020992afc281a12f0820c7ac9fc86b23c8d9eb1877bfa0f48bb4513e718447c2cb3c12191

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2780107773bd039ae70eeefa692f1572

SHA1
096c59a9c8fd9c1b3ea405dd328a075375f7e894

SHA256
aaa49dc7012e0312ca52a25972cf0a5edff09b1c88ce08d45814181efbb7aea1

SHA512
30ba682daebe1518f20f8d713b9fe501e1dbe8ffad90889888c76eba6219e64b11d3e0b8dbcb81a4a42edcdc822a7c54b0a2a7174cfc97badd54594b2d731bd8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
635e16973872f577113a7cf7cdffad79

SHA1
fc37cd531e4323867da6b20c84eb599e8077f995

SHA256
8a82ff4a43c3931463277617f78ca527e826eaeb87b948b98cc44885fd285e9b

SHA512
569a8c81b632b2e850746434538ab9ba19f9fe6f1267ea91232b7d84241a64eae5e97725fb243ca70338ec047bdbdc46762b4d323ffd8b40878dc9a1c44a3bae

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
2443e490a931c55c59c165156080b1d7

SHA1
aaafaac7bc39414a270a73b4b2a3ad4473d4c3c2

SHA256
0386ca1c0158e36c0f846aa2cd168682fd90c9a46130c9f25c744e55da2ece22

SHA512
1cc260dfa04c3facb5e7bfeddbdaee86255ae9e4c301a44ccba89c44f49a2001c98688662d698a75142f67b417791d307b7ba48a81cd3f50e6702bd62129a29b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
518dfa83723dcece3299491d1a24d361

SHA1
7182472f18578d9d84c4c1cd455039457b1923b2

SHA256
43167f0bd4d06246333afd01a56de66f600ab1293ea14515c446909c2850508e

SHA512
ce620041ff034681789bb0a07969e244813ebf23b503d1bf615972ddede398a1ff8dea101463c2fa7e7ff5b25660592f6c34f2002fa127697edad29c8e39253e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0f3afb237627756c8a8d2f2a0325973c

SHA1
15fbebd9dc6a3d60b5b5063fb8bf6f9ee7a1dbff

SHA256
2610cccf04606adda85f0118ce3a6ea84099cf0bd3ae9ccfde1796b4a90a6d0b

SHA512
f0730a1a41b82f515a17525bcfc9e70bd4c0d5689862402faeb0004aa3d5ff8eba1a9320a7eb124603116bb1edcc451c7e68cd02cb1542cf224b35bfd2d0c454

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c2617353830ce04b2714fb696f198a11

SHA1
f8fd39194adbe2efb17bf80f4f945fcc75ff1d75

SHA256
9b3b1f4bd6aadb1ce76922053c4efe88b5ff8938d960ba1e4c49c1b91dc3ed54

SHA512
d61623a0e8987135f13b1e6f94f04cf8cc309a5ca7bd2d465767ad6fe5043142b35ecf69ec829bb4d0105788ce8651806af21eacf96f476e4e3a0311729ce3a6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b00e766dcfcac9fac99b1876fb63105

SHA1
6d92b07f5d8710ea79517832cf09488708a066f3

SHA256
5069392b9adb750e953928b1f65e01cdade45088c5ebafd8e502f7d1bc84c6b0

SHA512
d4deb3a07bedc2359ea355135c427ba275a24030f70e29378059ba16ef2ebadec5238c95577159d4f1bc0b0ccc2e3e244993ca9ca96829bb9e6eed8ea09f4489

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
7fdd139d952032d576dae79108b9d3d5

SHA1
d56b5b362a922a27b128e11c42d71844eced044d

SHA256
297ecf3623a199021de979385d8fea1cf716312e0756faab182b4a130764002b

SHA512
25b792f84da8a8d13744963f9037aa95f6b28d78dd1d6569a83c7bfd19893c4a2227960ab18925506ec87aa1eb84a024d3a476a46fc754b632c21a0c5ac0b05b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f2566e739348cc5b1d1d6355a593a073

SHA1
19f7ded413d9ef3f3869b0224b624ddac0787588

SHA256
e6a413c44f1eafa21c2b198aa7f25129517855a2accf603f5da70b0b700bf9cd

SHA512
9b12259faa055a28295f34d8a29453bfedab900803651091baeabdf1a524c0055e09db4bf07fbe3f40fdfc7f8df4ae3d406c68097677b87f83b4e80630c44435

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
cda561d5e38f308f8bd53dfa1b764418

SHA1
5d259dbc9fdd1e4e815941e9ee933969e400479b

SHA256
b4bac240dd1cdcdc5645a3b949d29dfd460a74ad245a44b0d0935f7297d57fc4

SHA512
e82785c45ab080d24bd62cdf9c31312c54bbbf1c89890ec01ffe0a2549f5f733c42efab1bad0ec83439052048c94aeeacf07a1bff7c540d15399818973fd0f18

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a191118ef8eb13342a66f514768c456c

SHA1
b00876b93b83bb9fe06a75d607dedcd4135c0a6c

SHA256
ff4390a566cf0241feb1772b2543f28e8c474e19f99065cdcd5d614bd3cc4cf3

SHA512
e7f589f4cdf0399e432927b12f6d2d78d9c626bc948ab759e92a632cb3581457e9695d0bc4f443eb8d2ffa9ed119c323470818f0d6ea7ea74e69285a70507e91

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
cd880e5da2b37fcd5f00c477977ab3f7

SHA1
f3ce0e83847e77f0d220d837e776b90b218b9c36

SHA256
93cd63c394c1aaea8f061d37d2760307cbbf660475899de5c4a350ec7397d7fd

SHA512
12b74ca713643292f97e1cca534cbba0f2db5e0935e40af3380629f08dc61e8cc5ea986f4b41ff87f9edac749df57aef31fdac051448fc088334d4e9c95d3774

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
19d3810818e7d7b1e15b7b21f8727aea

SHA1
4a4ac02214bac2d1bdbcd4ad9b8583b86670da1e

SHA256
a8b3a1bde93bd1390c9b39a658dbcfd0ecd787ad802c5815f02aec48e3aa7561

SHA512
68751e3a1d3d06c3edc455aa9c87428dbce9a3a03b9a51bbb0f15c5795e02cc1bd44fda6a9ffd2a5f3b8c491c2667709db975dba912b92c9c001033cabb3bb27

Download Submit
memory/1340-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1340-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1448-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1448-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1448-512-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1448-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1520-280-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1640-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1640-568-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-187-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1948-181-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1948-201-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1948-192-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1948-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1996-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1996-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2096-623-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2096-419-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2512-355-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3040-589-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3040-306-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3216-575-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3216-284-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3404-199-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3404-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3404-191-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3404-509-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3476-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3580-356-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3732-667-0x000001C03DD70000-0x000001C03DD71000-memory.dmp

Filesize
4KB

Download
memory/3732-738-0x000001C03DD70000-0x000001C03DD71000-memory.dmp

Filesize
4KB

Download
memory/3732-666-0x000001C03DD60000-0x000001C03DD70000-memory.dmp

Filesize
64KB

Download
memory/3732-700-0x000001C03DD70000-0x000001C03DD71000-memory.dmp

Filesize
4KB

Download
memory/3732-733-0x000001C03DD70000-0x000001C03DD71000-memory.dmp

Filesize
4KB

Download
memory/3736-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4120-594-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4120-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4152-243-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4152-234-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4220-134-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4220-135-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/4220-136-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/4220-137-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4220-138-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4220-139-0x0000000007490000-0x000000000752C000-memory.dmp

Filesize
624KB

Download
memory/4220-133-0x0000000000A10000-0x0000000000B8C000-memory.dmp

Filesize
1.5MB

Download
memory/4256-157-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4256-170-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4256-163-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4440-205-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/4440-219-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4592-469-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4592-177-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4592-172-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4592-169-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4744-278-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4892-145-0x00000000039D0000-0x0000000003A36000-memory.dmp

Filesize
408KB

Download
memory/4892-150-0x00000000039D0000-0x0000000003A36000-memory.dmp

Filesize
408KB

Download
memory/4892-414-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4892-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4892-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4892-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4928-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4976-420-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4976-624-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5028-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5028-229-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download
memory/5028-226-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download
memory/5028-218-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download