Analysis
-
max time kernel
111s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
Bpl New Po-2000023038.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
concrt141.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral3
Sample
concrt141.dll
Resource
win11-20250610-en
Behavioral task
behavioral4
Sample
msedge_elf.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral5
Sample
msedge_elf.dll
Resource
win11-20250610-en
General
-
Target
Bpl New Po-2000023038.exe
-
Size
1.9MB
-
MD5
b1dbcb99c22cef6d94cf220a53339c18
-
SHA1
4220c42c8cbafb533b3a99b18fa73fc35aeacf30
-
SHA256
ce24c20670a87388411fc3fcb1cc3db347876237555f93027b5c75a76a513576
-
SHA512
8fa98064f64a75a17565fe8e8f1e7b2c36b6078dc097b2300e21c288c81d8a4efd233df101e4bcca2163368767dc77d3bd95028990ad635247aa2e5008ea38f5
-
SSDEEP
49152:aFEmpklJ+jTX3YFmpFOHUzdDmg27RnWGj:0klJ6vpD527BWG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
Asaprocky11 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Executes dropped EXE 23 IoCs
pid Process 3408 alg.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 3452 fxssvc.exe 5092 elevation_service.exe 4736 elevation_service.exe 4592 maintenanceservice.exe 2452 msdtc.exe 4868 OSE.EXE 4368 PerceptionSimulationService.exe 1996 perfhost.exe 3140 locator.exe 2624 SensorDataService.exe 4300 snmptrap.exe 5220 spectrum.exe 3428 ssh-agent.exe 1844 TieringEngineService.exe 5056 AgentService.exe 3572 vds.exe 1356 vssvc.exe 4000 wbengine.exe 1072 WmiApSrv.exe 6116 SearchIndexer.exe 5832 Bpl New Po-2000023038.exe -
Loads dropped DLL 1 IoCs
pid Process 5832 Bpl New Po-2000023038.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bpl New Po-2000023038 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\Bpl New Po-2000023038.exe\"" Bpl New Po-2000023038.exe Set value (str) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bpl New Po-2000023038 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\Bpl New Po-2000023038.exe\"" Bpl New Po-2000023038.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 71 api.ipify.org 72 api.ipify.org 76 api.ipify.org -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\91e4400431d09c2d.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\msiexec.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\spectrum.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\wbengine.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\locator.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\System32\snmptrap.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\vssvc.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\System32\vds.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\System32\msdtc.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4640 set thread context of 4460 4640 Bpl New Po-2000023038.exe 125 PID 5832 set thread context of 4928 5832 Bpl New Po-2000023038.exe 132 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86531\javaws.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe Bpl New Po-2000023038.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe Bpl New Po-2000023038.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Bpl New Po-2000023038.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e93f319be4e9db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066b5279be4e9db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053cebe9ae4e9db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031f5c59ae4e9db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076f0229be4e9db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4460 installutil.exe 4460 installutil.exe 4460 installutil.exe 4928 AddInProcess32.exe 4928 AddInProcess32.exe 4928 AddInProcess32.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe 1060 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 4928 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4640 Bpl New Po-2000023038.exe Token: SeAuditPrivilege 3452 fxssvc.exe Token: SeRestorePrivilege 1844 TieringEngineService.exe Token: SeManageVolumePrivilege 1844 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5056 AgentService.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe Token: SeBackupPrivilege 4000 wbengine.exe Token: SeRestorePrivilege 4000 wbengine.exe Token: SeSecurityPrivilege 4000 wbengine.exe Token: 33 6116 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 6116 SearchIndexer.exe Token: SeDebugPrivilege 4640 Bpl New Po-2000023038.exe Token: SeDebugPrivilege 4460 installutil.exe Token: SeDebugPrivilege 5832 Bpl New Po-2000023038.exe Token: SeDebugPrivilege 4928 AddInProcess32.exe Token: SeDebugPrivilege 3408 alg.exe Token: SeDebugPrivilege 3408 alg.exe Token: SeDebugPrivilege 3408 alg.exe Token: SeDebugPrivilege 1060 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4460 installutil.exe 4928 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 6116 wrote to memory of 4884 6116 SearchIndexer.exe 115 PID 6116 wrote to memory of 4884 6116 SearchIndexer.exe 115 PID 6116 wrote to memory of 4964 6116 SearchIndexer.exe 116 PID 6116 wrote to memory of 4964 6116 SearchIndexer.exe 116 PID 4640 wrote to memory of 4172 4640 Bpl New Po-2000023038.exe 124 PID 4640 wrote to memory of 4172 4640 Bpl New Po-2000023038.exe 124 PID 4640 wrote to memory of 4172 4640 Bpl New Po-2000023038.exe 124 PID 4640 wrote to memory of 4172 4640 Bpl New Po-2000023038.exe 124 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 4640 wrote to memory of 4460 4640 Bpl New Po-2000023038.exe 125 PID 3604 wrote to memory of 5620 3604 cmd.exe 127 PID 3604 wrote to memory of 5620 3604 cmd.exe 127 PID 5620 wrote to memory of 5832 5620 cmd.exe 128 PID 5620 wrote to memory of 5832 5620 cmd.exe 128 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 PID 5832 wrote to memory of 4928 5832 Bpl New Po-2000023038.exe 132 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe"C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:4172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4460
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4528
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5092
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4736
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2452
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4868
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1996
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3140
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2624
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4300
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5220
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5404
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3572
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6116 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4884
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\cmd.execmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5620 -
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d0cf8e434a4fba1591f79547aad70d95
SHA1837b9db355ca73881b2bbb4aca10a7b29e21ef66
SHA2568ed8a100ae949f4667d4c968641db39910e60ca2efd943b7e3a626669537dce6
SHA512c0174e17bedbfaad8b4da55475f8af35af23840f047b587f746208ce5db65e460d6e3cc0df168cb607338b8f08dca86045e94fd4a00d2fff74895df1fae32072
-
Filesize
1.3MB
MD5172a53fa49434d63f7ca0c8c346c41dd
SHA17821c13c7cc91f90a4e92dfa2002e2e61b14e817
SHA2560bec3b2388763a2cf04bb182fd85e48cbd5dcf26375311a486fe6ba5e22a9099
SHA512cd4476c96b06e2f2a95f0ce3fe81f016640be36349d60bc74aa19ce8a279cdad279f334bd2a42e00685fd9b11c20057f7401ab0e143ba3b758c51890238eef23
-
Filesize
1.3MB
MD50ba1cfce14321390a1e930507f2eff9c
SHA12dfb26fc07d639e0f61f7e58650c56faa53701e2
SHA256bc5a07c33468a89975281440dc733c19bd8e7a9ce73dcfad896797303429a4fb
SHA51241b4ef83066b43d20ec712f720ce7d5d60db01233efec9b40bba15c32d3347ddabbd6e3f67a8aa36ba15c07683c474d303b9e79cdf730e71addf789ab8a8181b
-
Filesize
2.3MB
MD50b8c374cd9afb293fa20d4e17485c097
SHA1a8eb955c2e7ac8c6e5933739d303901d5ad6ed26
SHA256321d073a251602e7fdec90b1f651473cd694ed5614c72c0c29b17b1c320e0b04
SHA512d8e5d95a7463d752006769b9abd9861ced9fee9ec8b2cae6821be69049f4acdbb6bca66404d492e02b1b96b347bf93eddf1fc408476e1a6f0afec448dc77b78d
-
Filesize
12KB
MD5b70e9430b2345f8428286598a9325fe2
SHA18000f8c3690d797741b72a12d7fde9395323cb70
SHA256824242432aa7b76ae0f6abfc9eb9b2ec91f018a51b96ac1f03f1fb71d8e4acc5
SHA512174ac51a5ee975d7ae7f7d6b026f1d8392f5fb63d34434fb2ce17e75289844d6975395c455d392302d4feaf67321b1957c8bd59f991f62c6b97ed62eaa362334
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\18e190413af045db88dfbd29609eb877.db
Filesize24KB
MD5c8af23f6595c55bd138d3bcd90aa79f6
SHA1970c6084b07060bdb96db23eb78499b80d7d7c6e
SHA2569a246983c857fe55f0aa3e21e75ae9b6cb19930a7b1dc4102be4fc91fb4be39e
SHA512509b05f04d4776f57f30f794b837fd37b19ac6d5e99ed91c74ff46d1609ce26b9ee482011367248ccb3b347ec97b1c62c1a876230154b087fe08d5baeaf9c519
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\18e190413af045db88dfbd29609eb877.db.session64
Filesize64KB
MD5b27bce4892c45d05009dd0e93ec48d06
SHA14314e62eef7c4235b76fdf74e4a774ccd8690d9b
SHA256a2f4d06e13baec2de5801a2ad4f5020c606a76297e323362220a3749a72db52b
SHA5122805ecb22783177b6f7835dc413fc720251d0835f146c4018b8896f76aa37b4fa92017df63a3d2943c6ef1c8f5ac612cee3d3b04c8194ef026a27ce631f0ba6e
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\19cb64e3-596c-4ad8-a280-22e5560f4070.tmp
Filesize10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
1KB
MD5828e880b5cf9d88da90e491cface1522
SHA168e07662dc6305ab9241ad608f67a6952894f1b6
SHA2565b0ecf924207854cba26a04fc6c8cd9512125d70ad451c2dd34baa39fc7f1782
SHA5123254d781e941ac4fabe9c333fb66bf74484d6e58aaade4154bfde6d1e6f2bdfe62bf352ea407c75ae1af8348132acdfbdaa7788ef575b7dc08c28fd3f2e14a8f
-
Filesize
1.6MB
MD50fbb10ce5afb1ff94fedede78949462d
SHA154122d36621b253bea96de9126577ec4d546579a
SHA2563d22756c17a551c5e3a840325b8944050638f6a420fe55167fc95d4915a8a72b
SHA512d923b6f1c524a8f41cfe0c0122b6b4638b9cb5c0c1fa24fd0705c3ad3fadb7cff1fdd24e491a1442f922948f956c5a53f47336cac575579400a83dcc091064b2
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe
Filesize1.9MB
MD5b1dbcb99c22cef6d94cf220a53339c18
SHA14220c42c8cbafb533b3a99b18fa73fc35aeacf30
SHA256ce24c20670a87388411fc3fcb1cc3db347876237555f93027b5c75a76a513576
SHA5128fa98064f64a75a17565fe8e8f1e7b2c36b6078dc097b2300e21c288c81d8a4efd233df101e4bcca2163368767dc77d3bd95028990ad635247aa2e5008ea38f5
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\JBEFPFUV-20250611-0006a.log
Filesize178KB
MD5aae40201f6f3adc8f285a426174bef08
SHA1bcb31185a27426ba1ab16d16eb8e638cf45e38fe
SHA25610b10b3a8664a933f8a03541d0d27f627906c12c5cb3fb8eb961dbe1884818c1
SHA51258fe642ec9c1d29e716d53f76ea81733ba12f0d8d9707d1a8d028079d6d3aec9de9680880172c794845f6363a089a88405f5e6f2dea37a15acfe472cb4b8549f
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft .NET Framework 4.7.2 Setup_20250611_000120170.html
Filesize93KB
MD535e95b678a5d0214d4a90913e5bb5f76
SHA16f3dc3c838bc9c362b235420842ac34f2c08d6de
SHA2569111051032efddd47e7aa0239bfaf9fd878b8b33d566208d8e0c32454a735b56
SHA512a5dd3d9e6b484eaf79dc9364ea211b9146b11c876f081445d6547d138f6e1dcc78b1e5f5c3018434d9c85c3e53c9e68455f3817a4b6f0314b054d9ff8298f278
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145.log
Filesize15KB
MD58b71d3794c06f7a81993926b1b36a573
SHA1d472dd421f1137122b38b02353cbe7131c78bff7
SHA256c5d02ccca21f457030a01bb7abd7c453ad1de975d5066fd93c155e29d7b2e1b8
SHA5129c9fd55f8babf8aa3ba326f1c7d60173762ee63c8752b7f87f2c0b3f48d6f46707c4f5d31ac92aacd49d11ac9634ff551aa862cda589ead8f8e3072dd913edc9
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_000_dotnet_runtime_6.0.27_win_x64.msi.log
Filesize551KB
MD5860a58bfbfbbf354ba7cdd974d3ad554
SHA15f90c1012beba0d70b9322711b63e3d27250f529
SHA256d3f5b69d8794d2a4419d9df1e8730c8992b71962edd5bc0cb1fe2c15625d90df
SHA51218bb086210d824b1b572088e150415693f6a32bcf881027ee908fac5a142f04b5f18ee55b87fc7f17f78bc647f684c238de62e5ad6f6456edf60bdff00d3e3bf
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_001_dotnet_hostfxr_6.0.27_win_x64.msi.log
Filesize95KB
MD529e0d5f7acb997606e1d89601f611343
SHA1801946e5f10b47bcf8d6b49e76879fb70e733bdc
SHA2564285387e19373168dcb7826909637fcce26fdc4e650503242ba307d6e85cf73c
SHA512f2856c08859f08ed79098e78ff84457d1b8fb18d0bea417aac9dd0074a7e286e2302880bcdfe1bfe23fd0a315edf3cf3ba53ce7ecbfe03ecdc76cde4b30db5fb
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_002_dotnet_host_6.0.27_win_x64.msi.log
Filesize105KB
MD5de0e8d4adedb42ed4f5f9318b909c0c7
SHA1931bd4f8b30eb362c11169a1a6107d6f6ac53166
SHA256bb66bc920199db00c64e6998b6c050948dc29fe7873544be13c2f8036e490690
SHA5122226465f152eaa91acdc531036d89a80f887740bf0bdf96a583789c079c452bcb9c649099eb3e42c40e56a6b7649c45a5fa33bea518604af0a2114792e8343f2
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log
Filesize847KB
MD50d284d14fdff4606b75e4a1d63ebdda7
SHA163809939dfdcc6fe96f07b62e55011679f28b70e
SHA256290c2f5ea24a286e6ef3b63884b7303ca8593c586e386de8ab04b70a52d61537
SHA512e06a179094657e960969925658f47019fbf558451c1f84b7b41b42a2efdc3bd9d7b9310bebb274a00154b7b7f44d0708072c4001cdb967f93a644a50a2154ffa
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207.log
Filesize15KB
MD52efab208271db0c2b0b74aa476fca72b
SHA153a21e23f7a926d7ca3230ebbb9e0fd091c72c26
SHA25632fb46072266ec2c9ee8b7733bffd3d85ac55291ec292f981d673094008d0849
SHA512a848e7c3031499fabb8c855753f0a2729be165357dfb5eb05a0d5fa0719ee98d1110c2b7130d633d0548e0f207d736d61543a93f426204eb24632cb80a5ab948
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_000_dotnet_runtime_7.0.16_win_x64.msi.log
Filesize470KB
MD5d3bf2cfba04501b7b0a8099f423602b6
SHA11bea34d50f2c2623cf93983ef400ca6e28cc79bf
SHA2562a38738c13eec259eb5774e78d964895578be2907fd215dc62a3f8391c36a9ee
SHA5121d31e8c6fe423a0313954cfffd247a0bda2932804f20f633692d5247e8828cd36a5631b26c27291eda42fcad1ca9ad1cd8fdc0fa09c650c58abba670a983214f
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_001_dotnet_hostfxr_7.0.16_win_x64.msi.log
Filesize95KB
MD52f95cc4e87af987b59211a2f83cdb1fb
SHA19411b9f5aaf7a2806381397a3affeffd746bd805
SHA2561625551abdbaf32fd0a54a2702a4cd4a89f0c09b70d0ce4834c6ec6a40db1d72
SHA51209bd07d1917ebffb77966ca31574452538493d10e4e21273fc28dced5dd1596368a96986c4f25abead5e707ef8c9a7cacb7c849bbdfca484d7684c2c01667c40
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_002_dotnet_host_7.0.16_win_x64.msi.log
Filesize109KB
MD5225a3b371ecb85d3d94917a6abd0bf0b
SHA1f3276888128a6acf00ff563023226ff8322543c1
SHA2567b76e857b8cfc6aac39f72bb94e19f87ad25f34d0fe7721f8258ae2e8b1d5c69
SHA512801a785357877b591a89348f8bb6ef093cea348eed6c27fdcd8e1ae0ac43f7aedb75707183c95a861876cd35fb8bacd26fadb571b177050ee6f4963e0f55b678
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log
Filesize852KB
MD5ba83966d0ae66321fb569bf49642752d
SHA17b3b310ee3bd19589f6c7f4c54c5368e1d22a2a3
SHA256aa3223e4c3d74b760cb0b5c3e3ac55094582e2707401e3e316b9e76c0010da58
SHA512e92f6c366bc2d70d4ffab42516ecd129ac99eb54a42a253ecca50ecdce448398fce83075876a236fa8559a252f21e3143b17cbf546c5cf26b5dd2ec0f61e63b7
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229.log
Filesize15KB
MD54994d8898af2caa1dc72368175812943
SHA1b654502bfa0f7f6d31424981e069c660347fc926
SHA256070394372c3511800173ea2148a2fdb8621ce3a30a968cd3c57b811c77167d37
SHA512df9a348605395216ac71b1b4c8cfd003eeb289a4a93b7c2bab41136596c49d5c442605e6d0d1def47c1ef2e428e19b742dff1cfb2a1cf871f6f1639d506114ab
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_000_dotnet_runtime_8.0.15_win_x64.msi.log
Filesize470KB
MD501f806188730021bc8aa71532293d6c9
SHA1e2a2033c3ffb505dde99ce641a9668cff5f243fb
SHA2563f32b2774ef7aed29231d52547449e6f2ff8f80969a7ea75d05c9a7c0e300ce4
SHA5127da7361cb459093377430288124b436bebe7ad9f128b79b2bbbd6f00c2a9c6c47eb8e669961d828c2e242edc27bd66e0ad8a1798ce13d3098b36d53195636205
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_001_dotnet_hostfxr_8.0.15_win_x64.msi.log
Filesize95KB
MD5f5ca1b0a44d18fa0709f227a2cc775e8
SHA185884b17359cc111726dced4a44c90222b7d6410
SHA2569e947dba473405aa35ee0348fa11f72cab33d2a72bbe4e442c8dd6af9a72e197
SHA512ca16dd9d8514019dadf60d6c3673aa0049ecbabc2ebcddc1de6e894bc46f8d5c66490aa467238b39ce6846f97af09f2428221dfda79b84caee6e3ca52a026487
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_002_dotnet_host_8.0.15_win_x64.msi.log
Filesize109KB
MD509cdba74a804e79c6dfdaa0c0cfa751a
SHA19315a46b731ba5c33f151338663559fd383f286a
SHA25605bfd9555d3111480dcbd48e27080b6b57b3875133b28d1891531e27824a9dfc
SHA5127ee5f220c5e68270349090edaf68850556653fc6b29b8b40bebd48cd1439d832f1dfa7b2f88c73f0f9a273f41b31062ae0f3b339ba817ea2d4bfb8dc836dbfd1
-
C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_003_windowsdesktop_runtime_8.0.15_win_x64.msi.log
Filesize849KB
MD5c28fb007a7251b79944d7cbb68023346
SHA1b50472f2dae4880b86884a30999d68d18bc1c016
SHA25675ec57036e7b6654f8a2d9f71d69db3c7dc69a36d5ec440c0572a5a1b50659f0
SHA5125532545491cd378faddfa10b9fc61688e0888e109b8e0fe7a39db5da16b395599806fda30141bd5ccee26d0964492c472d15d0b3cec205095089178607dd2102
-
Filesize
4KB
MD5afc1326429778de7a4eff3d3da68c192
SHA15595a7ec66eb75dacf84ec638c0e7380e0d3c6c4
SHA256a4f2ea636c65e2d4cf7f9c10288d418c9f744e5be67567bd9e9e77b9961a5674
SHA512bb1fdb5afe7e36d7829641ff342b3609e030bef14fd856893285dcd2c5f637367542004a9146efec6c86618b2da3f83839cea7ae85ecc6008f9119a2bd2435e1
-
Filesize
72B
MD560a8384bdbd853ec5bbe2abf8e4291a0
SHA1b58f08064a8fd9884d3b11adee42c02c04ad25b6
SHA256839c90f6afba97cf58532fcd0067942f45152c9c173bb267c1cfae69c3d007e9
SHA51260955a00ef3409359d090530bcf89e72adc19a9ce66cd89ec395be08818f65e58097d6df2c3466875940fad02ac087492d5a99a332bb8098a5117db091a468b8
-
Filesize
470B
MD546c824b66fc796463c1b5c27b2d929c2
SHA183aca8c9c93ff13c5e5cbed21339a75e33610652
SHA256612c1aa6b5eee780333d6fb9af32445faeb44657e235a6c7cd39aa4777db73bf
SHA51218efd5e53d1debdef96f7675050211d92854958cd2dc60cc81574b4dec27877c2c29b0b70970710028a6b5f2eea47b989f2ab61c07916c022d582a46badaaabe
-
Filesize
8B
MD5fed7f614d44923829292868f1ada05f4
SHA18680eb7e2f0a76bcadd99556809dd08a605f24bf
SHA256b920c464147f96b7ec9f1601857435f24b567d905b1be947a18e25ab2cdd87f9
SHA512124171a65251cc029dc49bfd790f18d695d60e6898a8be861d261833da3c9aaa9b7746ea4a77be7f19cc0a3eff8db94461588612198c343b9e59cc3e3d2415ee
-
Filesize
163KB
MD52ead5242c5fafb22a07547dd2407fb45
SHA1ee248b38c9206f479b902527ef9da1556debfae0
SHA2565e80d97b5565836681176aec69e2cbb068378f7c75fc3f248d64c3eb08c88afc
SHA512304f08bc52a2dbd28b118e2bad367ba6e1b00d2070b5d188a6004e31cccc113cf475d5ef626772e28223a5d6608a990ba0a86d7052759ed3fc8950bc9be7f90e
-
Filesize
120KB
MD5d3186aada63877a1fe1c2ed4b2e2b77d
SHA1f66d9307be6cbbb22941c724d2cf6954b41d7bb0
SHA2562684d360ec473113d922a2738c5c6f6702975e6ac7ee4023258a12ed26c9fefe
SHA512c94e8aa368a44f1df9f0318ca266f5a6a9140945d55a579dee2fd10aff3d4704a72a216718b35e44429012d68c2bb30a92d5179fbc9fb4b222456a017d8981c0
-
Filesize
3.6MB
MD5b64096bcd104cc44ac58ccefee86e1bc
SHA13fc620ea06262fba34432db67a37ebde21c421a7
SHA2565c1c18608cdd8918648425cc85a29f254ca981c7c5a48b245686a47c0391ce5f
SHA51254e84c8f5768a2b23b307686397203d3813116a105b16a864bc10793d5edd6f189b0fd12c9acaa772aab486cfa39339c61d467dee5639715c0be5ddd6feb6d0b
-
Filesize
3KB
MD5e346b2fc29b1749a79716d7b30e29422
SHA123c2c5f3ed7d8de1acb9ab548a857eff7f6cdeb5
SHA256c76226c58611011a18e6de8c8eb701bed23bf1595c4e2fb5107485706dd2b3a1
SHA5122b70113bf6e425d1738e2bd9b3ed631c7b6f4ba93a00428fa2e29dcc1ba204696afc6e1381bbe812ff2659c46b6049793937db4db72d4fa3d694aa7af77ec153
-
Filesize
24KB
MD56c1a7e606ab22f129a4b38e1efd0912d
SHA14381471b9e8bbcb5fb9332a0a7efec4fce4181ac
SHA25661715eb988d4ba36a32d90e54ff265019dd8c988d2784dc06b70c0285d62e368
SHA51228c6ef4a29420ad97804e92b5313cd69affa1f5a6d4bac832ced7a54527d2a4c040480c5efe0c3a3256150ad0a77dece584ddff39e57b7b2b0bf9bd75165f321
-
Filesize
64KB
MD5e48fcffdebfcf6ed2a4da3bfd0ebbf06
SHA16d12df9ca38b69494308702f7ffb9bb6e1f7aa35
SHA256e0ef347bc15f83b6a11af1a9ca8487db8cfc26f64eb5e49897a967e21732a263
SHA512cf33805ca49cf18d577e58f060795f1bbea5bc516032f1864eaa083a8becda62e6c6ad53092754c2e4f7f615541cf83ce787fd74d3f09b1bd8cd3fafbfe644c4
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
1.1MB
MD5640bd0668bc9885646747b95f3dfa270
SHA1dee807471fe5f3dd34e78a0c914ccc9db258ca8a
SHA256a9cdadb984746297a74036bf751f7b215838976b241d86e68e716d1f00c3840e
SHA512f5fee7c98d6b5daac903beb07108aaf4c46691ed9f1a9d4634ea621d70cc4531fb78907b7920c0280e5c22941945fe4996eeb88cfe54609e6fbd780f11d2cadc
-
Filesize
1.7MB
MD5772518813250d7681f079c70314243aa
SHA1abe19e135b6ad228aca623148d907b3300a06f6d
SHA256d990dcd12056ff729d64f480cd0d2983c2dc515fcdadc7575669bd8467e06e1b
SHA51286b5f726e2034907ca120e29795a8590b27dffd537a38985590857522b2402ba69d518e67cb25aea4b85184e0e9202700e087a41e9879d83cd4875642cfb2020
-
Filesize
1.2MB
MD5e051d12b0a5c4cfb4f17aeeb72f393bb
SHA10a0befcb78fac5136c0f46eced6e9ca52e07d04e
SHA256cce26acf90d32c83995c1941ecacdef7241cfcbbfc13e5353d015935cc10f10f
SHA5122d1f1dbccb03669178f542665028549604a12c95d82cf74b734c31dbaadb431fa15d780aea6d125e6f07dd3e9e8f3fa223f1aafbe4a68e3b21cdf64ef07694b4
-
Filesize
1.2MB
MD5f1373238b31735782737d8dc01d8a501
SHA146575b95886e417b5284e474fed687a88853949b
SHA256f5c3858a703e7e37774c573fe4ab68ad9157b195c729961c13d968b696d5d5b1
SHA512f1f38279fe3b51672ffbac1e349d7ff6b6fc92b344753d1c6603b3473eb887c096bdce0ca54e15f3f00a83cb0be31042a5e43caa7255f98f7468d978374053bd
-
Filesize
1.1MB
MD53e16a75567d99cccfa68bde1f875bff1
SHA1737ce4ed791077129f8904793cceec03f2228f72
SHA256ad0e8a0f4f8871f1901aac7bb18d3fcfec04b088d5119c6b886f6c8c94791318
SHA51296194f6372bb3ad814994694eb1c898133870d0828343f706cc059f12df850e58593f78c2108a4e3be00b29fb65ada747dbd369aa76c3a0765bbca4119a8db61
-
Filesize
1.4MB
MD5a9c4ffb1ef7cb801df10acdd3a36943d
SHA1913a35bdc2ee80cf5f6124a674234ec3d0b971ab
SHA2562b155ecb950c22bcc57c970dd0e62537af85c6102f2ab7f2dd37ad53739fdcaf
SHA512b838b9bfe6b10ca96ee7a0c04f4143180754ef0a111b70ef30d0b74554dc11cda2b68d81d344e726dc600ca2c4a1c8ffe08909d2c800abdb89585f5eee89788b
-
Filesize
1.2MB
MD518b8b5193ae3fb121521a1aeb126dd3a
SHA1fa046719c871dceb1c778e57d75989d194d54108
SHA2566729474bfc1ef92719acfa51b3a3c48bbe5ddf6746447f8a313425738c3c8eba
SHA512b62cb24a2f1886a63811338d328d672d8f98cd65669c41a0a1f647b5d3fdd63ead98a93657388853e9df08171e31a2a95020223a9924ba4c11109f88214b56d6
-
Filesize
1.4MB
MD5bc332ac3b8ed440b2c58df1353f3be50
SHA162bd2227029057d4065f8e09901f508504e92508
SHA256d309988875ed3f832893c7cee35934286e49aa91a573ab5673dab64a29173224
SHA512f766423e64710b5b0f4484895bc2f3d47a49de8e93cecd3ee1c412709a1b5b490844d7f0c43c0be2b72b7e82d0eed601802729acda70a11a831f826a88029f47
-
Filesize
1.8MB
MD508d4e5118bba016a8d84dc3b1ff532ee
SHA11cd0198f651038ff933a695d4033f089af7c9b2b
SHA256fed1eb1df0025f866a31c7b0a41fa7857fae7645eaec6c2a5e1583151b11740b
SHA512f85648660296d033bf7942a5c2b1a214acf4048a705e5bb451e610ad1524ef9d2467c02532ec1c2a357d522657618236968ad40052a79130a96c5c1ca8859217
-
Filesize
1.4MB
MD523cd4d5e72f4e5c34b63d5ebceee2070
SHA11fd73023fc1b7200ca33cfe2f477ba03a7c8211f
SHA256e6a8d3d02f9f68783bc3aa88ced3ca9ce194538aeb9561cb5a3fd246c499be15
SHA5123badcee8145aa5209e0f1cc419e61924945ca3bc1b04e9597bb7265b0405cb41964bea80a747e104036ffcf3094830d9cba41c32c882f9aaeac4611eb3d2292c
-
Filesize
1.4MB
MD58d6a01b01921aa4f4a055a2f734746f5
SHA15acbe7323a405f83ffba346a7df707b96aa14e0e
SHA2566b2567cb247c7fbadefacdbbfe729725dd5dc175ffb3e3aa7ba71ffb54bb55fc
SHA512afc24e26198076209a3bd0e26015556177379a3de14cd24d3c6681f34dec2159050f67cd05b5aa45963925e78b7805c77a742f5e204c6b36424a399a795ce9e4
-
Filesize
2.0MB
MD51ad8546a67b825df4974e412983f3523
SHA160013e68e15cd559105bab98da60113219594ce2
SHA256582724375d21f2b529a2f826dba23557f3c242ded234aee902687cde846cb162
SHA51275fe15893b08967813a37cea618ecd318ac63e2b01a36a9b49f88ff8f7ab29dd130bd6b3625b712f2070d5de70bee8479244576c4609e21b5b7330af4cb671ff
-
Filesize
1.2MB
MD58c511fd0e1041606a5eac033736c83c2
SHA187b9a5fb17a98fd08b310fc1414386af90b7e3a9
SHA256996603e75cd1c7cad97de4d3a963a6c261e1e6d69424b06a1f3283d2964fc734
SHA512adebe92933ea01302771a8a5105e659f2e3b9bbb3af8d07fdbec54a213e938f5b40efdbaa4f74b21cd783c8c4bbb90d1684df48f108dcb05f827eef47c0f4342
-
Filesize
1.2MB
MD5cb5a11624155438bd37eb748818474b7
SHA17aa56ef786a39cebff87215282223acbb5a09154
SHA256907bd8eb6340f502fcc64a9599a5da7ac082d00ef1514e73123c498f00570697
SHA5127485fb8b8530a991a6c6eab406731eca0a0554bcc3de82163e2f66e603e75825c9db9458039f59adf88d3f9d06b6c2d34be02b7a818fc059df02e4d31df59223
-
Filesize
1.1MB
MD595c475d49403e32ae01ebda6fd220e4b
SHA184b16845c2e4c6ffcf40bb39d624544d7e9dab11
SHA2560fb084a9aa302f6d5cccef701dad773704ad30e2ec1314b8e1a1227ed095c30a
SHA5128007f3c74192c9ccd089fab29b5255273225507d3cf11024cacb3d6f41b47d6a3a212d61947141fccba6bd164f219699e6ed3a5547ac629320f1ff93ebe1f09d
-
Filesize
1.3MB
MD5ec6696ad2e49a311b1dd6169407a1387
SHA1627c3e9bf226d0a75fa2b24e332d50e68b6af30a
SHA256a0c294dc4847cfdabffdd4e955bfe120b3889e0ff265c1c23af83aa03be23452
SHA5127d5c45c2f2d837760cdac4b38fca4ae3fa80ced126c3a7cb2b8e3e1b6661201e4840bf7035cbb55cc0a0c34e5cfc773017d0cccbc91958472584cbd577c9f66b
-
Filesize
1.3MB
MD56b50eb5a6993e7e86a70420deefa3bd7
SHA1779a755aa9120e1378a594e465f1dcc5a52214f4
SHA25635b487ceba390d98a6f4a1a0fa7d0e80407484b88d9b06767639dbc0c18e5790
SHA512b2145510b4d1deb3a64c98954da801c553091bc8f99fd2709ad66ef337602ce82ee1e04f9f9b9f8eb0fb8cc47d2a40b997facb023ac8cdd3e4b7398f1b5e2762
-
Filesize
2.1MB
MD5f0577b6d735f41a268ce42a82ac47f29
SHA1302de92b219627e4363396e83a7f96ced53b0ba4
SHA25642c04bbce965f69996bcb55b790b1be66bf688c408cc34ed9b149c97bb166570
SHA512897ec8ec0051c43bfb064baea8454a409fe031cb5e1e17fb723a476d4caf331a8e981e648542fdc300e0b16f179bae939464bbb0e5a6155a97aa5c6acab477fb