blustealer | dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4196	alg.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4696	fxssvc.exe
2800	elevation_service.exe
2144	elevation_service.exe
3752	maintenanceservice.exe
1296	msdtc.exe
5072	OSE.EXE
1016	PerceptionSimulationService.exe
4232	perfhost.exe
3828	locator.exe
4204	SensorDataService.exe
1156	snmptrap.exe
4460	spectrum.exe
1092	ssh-agent.exe
1880	TieringEngineService.exe
860	AgentService.exe
3560	vds.exe
2788	vssvc.exe
4632	wbengine.exe
4964	WmiApSrv.exe
3340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b61f4b86c4600f4c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 4828	3056	Quote 1345 rev.3.exe	90
PID 4828 set thread context of 2376	4828	Quote 1345 rev.3.exe	119

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3f23211477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cdcb70f477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f927c14477cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e93815477cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000041bc112477cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe
4828	Quote 1345 rev.3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4828	Quote 1345 rev.3.exe
Token: SeAuditPrivilege	4696	fxssvc.exe
Token: SeRestorePrivilege	1880	TieringEngineService.exe
Token: SeManageVolumePrivilege	1880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	860	AgentService.exe
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe
Token: SeBackupPrivilege	4632	wbengine.exe
Token: SeRestorePrivilege	4632	wbengine.exe
Token: SeSecurityPrivilege	4632	wbengine.exe
Token: 33	3340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3340	SearchIndexer.exe
Token: SeDebugPrivilege	4828	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	4828	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	4828	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	4828	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	4828	Quote 1345 rev.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4828	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3056 wrote to memory of 4828	3056	Quote 1345 rev.3.exe	90
PID 3340 wrote to memory of 3760	3340	SearchIndexer.exe	117
PID 3340 wrote to memory of 3760	3340	SearchIndexer.exe	117
PID 3340 wrote to memory of 1612	3340	SearchIndexer.exe	118
PID 3340 wrote to memory of 1612	3340	SearchIndexer.exe	118
PID 4828 wrote to memory of 2376	4828	Quote 1345 rev.3.exe	119
PID 4828 wrote to memory of 2376	4828	Quote 1345 rev.3.exe	119
PID 4828 wrote to memory of 2376	4828	Quote 1345 rev.3.exe	119
PID 4828 wrote to memory of 2376	4828	Quote 1345 rev.3.exe	119
PID 4828 wrote to memory of 2376	4828	Quote 1345 rev.3.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3224

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2144

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3696

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3760
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
674e5e5ca3a4de955a3204b7e05f776a

SHA1
4d7c0eb14d7e57fd9766205a2eb0b1830e8392c0

SHA256
587e9303bbc74a694ed5264b034e775f83420c96ec5a6adfb87c9c8e4100d873

SHA512
d23c807961506cbc0890274c3d75787c0ee555994a66b828887eaa88d33e04533fc91d27cac7e2c6004d4a2117fe65a718f4eecb2d075a4e7cabb7857cab5219

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4055f7593959764cb6dd4d4bd1bd422f

SHA1
457f44a21b7dac19451cacdad3648b350b7ee531

SHA256
fd2f23c12d13fd86340e83fe1fb8de38aaca8dac2ab560d86872ca7bb82ab701

SHA512
3229a4c39788ec092a8ea956434d26c772b18b094aa6c8617d3160f7cf49ec00214cbe75c9b527c16ef67f2802983f455c33778c6e7a1b09b14bd8073b80fe3a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
fb3eebfb9230283dde76d755f679a2d5

SHA1
a4d6a10a4d28580feff95a10e82052ced0a12271

SHA256
937bdf8f93c95584500aa2ed00aadb55244cb6d64207247b75f71b99ab3b7534

SHA512
8595beb0298b1776538dd3bf10b67190a969342fb6c788e13d74baf3ee4bf10209c82008b0f4ad6c6bb6b05c5180ff8536c577fd21603d20e3c58c707d959ef6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0a2e7802bb81d72b0c658929eaefa3c2

SHA1
c0f4c8f7d4ac3e4bb9cdc75bfad8410c4e53654e

SHA256
db7edad870552fe8bff6b4e87382c68c9aafcb7001b34607be848106039dd650

SHA512
b28be4c1535460d29a36854f1ddc7d5abc275ac42b321f9416d18f8e80a2b1ceee15515a67e00b5d52bbbb5faa29e7c146e60d1b521ceebb3d2765fcadec546a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
760a42803f108fa7d6772f2b4befce6d

SHA1
1ba5c9d7c15bd6a4c44a5cf015205bde6dc8c21c

SHA256
a881c824d2b179bbb42a0bb362de74bcd09d2911dc2a6bed93b0ad05773e0cd7

SHA512
837a2d46c045f2d4889eaa2e5096d9627fa8f71d8943f8a1768a2c4bf56e69c394be436a1dd37a3bc7b9a82959fe8c316488ca11859a66d61aa8a7537849fedc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9a6c8d96c523a773ce55074a9a561da7

SHA1
eda24be820517ca457022a5a2b436197f88893cc

SHA256
6929ef389fe775a0b66fc5c0d307417da3463a3e304269e515dc65f0001932d3

SHA512
c3230194a12a3d46e36cb97b2d2d262d41d8f5f415388eef618a4f71cf92b6a086418840fb5ce57c76b4242819023a47c77044dbc17078c0c4869463d2fa13c4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b39d6e4a32910f45233e32b7289bca5e

SHA1
378aef10a56d882717e56d84930114e0e43b368f

SHA256
021a8c9e8734c72aec07d707ed49121b47fdfc2e79f31f89392fa8e8f05e8265

SHA512
3ec68665170b8c94fba57b9498cc82c480ccaddb5675ddff4bfac02e5eb8674b55526a5af291b0a867294ecb20ffbdb36abe565e0257b2fe6611484e598cac98

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
40923603148c18cab2db16ede80be2b6

SHA1
746bc6c1998bf4fe66659d406cf248bae79ae1ca

SHA256
fcc10449b7d38d713a2d642b8c8523643f29776d7ff6845368425836f0cf214f

SHA512
94b5360917b6902792c51e3d92ae778816877a13af47680d538aee6214e97f703c19c875db9f1507ce4e910974782158e6f1bdf5244d660675c22b354934842b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9e76e4bc6404a1f3f9c17c9b1ed7ac9e

SHA1
cb4f5a2c085f128425444e96c138b72d6ec8f969

SHA256
aefa0df51ac4867dbf1d1ec35bf766588c0438ca17bd29800f1ee0b1ea0a5c1f

SHA512
ef2256c99024678a083d4fb1712085a2f141bcaabfeaac11e226d82d1170a843d89f0e32a1027967e53044d43f03406349ced713b69a6d1e060b22bb49e455dc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
77d2608105b8bc0e7f7cbf5871e304d6

SHA1
ee483979dd7256c08b84f27ce3bef4a9d6accc00

SHA256
8a09c2146a20e42b716c04dc061ae16f1ff972802783cc7b5654912253e5efbb

SHA512
081d4d71a24273ef3575afde10838ff7095564142d978ba7406c0853b7d77784695f73163d9fad42dcf86fb9f7557567495eda80437b827aa72408c66ab485c0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
77d2608105b8bc0e7f7cbf5871e304d6

SHA1
ee483979dd7256c08b84f27ce3bef4a9d6accc00

SHA256
8a09c2146a20e42b716c04dc061ae16f1ff972802783cc7b5654912253e5efbb

SHA512
081d4d71a24273ef3575afde10838ff7095564142d978ba7406c0853b7d77784695f73163d9fad42dcf86fb9f7557567495eda80437b827aa72408c66ab485c0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fdd56eb649e8d8d1252af69838e4d8f0

SHA1
ad80a1dc2b016600a315c6c5c9630f258b99cb2a

SHA256
0a0743c13c06140927891bb963f05f268c3e7c15682502e3acbc1ad49f1d9bac

SHA512
1038dfd5e9134879e5c97a59b56a256973193d44abc88e2059c7b98220ea2ba230181e449f6b05c7a7375ce53ae42d72ca153403cc4ab3f72526674643c10f72

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eb63887bc6c8080eac0c0aba1d5eb4d5

SHA1
52011302bdeadaf1743903f3bdb9cad70284584b

SHA256
3ad5715b076a278b5358ef372bd528c853a05f570878928be2c5b480d0a01c10

SHA512
6f18d2637870a5225e68ae111191efcabb1962de122fbef92eda2381c89e853f0c1ced50d33238fbbaeaf735aca282a0107a8d9509a7e18763e7ebf965568650

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9acc3ce16ea12a74b38e50a61bb7398c

SHA1
29a7b35268e5f52ae0aea847e88b8dbe4b22e343

SHA256
0610459085c9efc16c8f20edbd9c8cafb53d2edc82e0b2a5cc3214f38025dfb5

SHA512
3fff06596267892cf85dce53f7c00933d5b7d9cd63bf28a515984a039a328cb21a70b954da04e73fb4f47373463720a15b40a4233c37c0aecb76d5b2e954ec41

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b29668dea3e64161bcbb0f01104026ae

SHA1
546a8f2a12ce66fab4f6e1642c3d2e3f1add0089

SHA256
d05c18fdd2af0b53eecd7a7ee7d2b4d514b115b1501be4fa51c741f39e4ab261

SHA512
69a0645e935db337609c65789681cf489e0f0e5db8da6fc5fe5bc8bb0e3c2912438afb2156fd55a7e023f50f934163801d824582fec1a42f07bdc9883f8469ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3500ffd625cc54aa8080241a237ad04e

SHA1
c8ee3d23dcc9ce1186a0858a1f7cc00a60270dd3

SHA256
3714653bf18573be52618bc2b96edb10f4116d10a3536ed0a53bf61a78eb93f9

SHA512
3446397801d8b9be92e3555af3ba6ed39c8503a0ca6a617f87ef3b68b5f98505549bda429de720373132941213baede56ed46f4c245e8579e4eb576307902df3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5cb62d122ab9037b4400cc5af59b3b0a

SHA1
9dc8bde9465a6f64fe17427e190157afcbf1340c

SHA256
82877888b80586989ca408abeecb5a4ff6da23a162c57a68463f0dc2cd51391c

SHA512
f4b9345e70cba2ca07b7cf30fc1ab35aa48c1fbb265d77bcdbe33e79bec295d44c8122df9abb069befcf7d142d380f58f2ea837add02d948fa50a047065cb729

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
91e78df94b973f2adb3630a733281114

SHA1
96fa1ecbc96451f0acf85de8f0ec87100b395778

SHA256
a429aa440f22db9019da6907f91d15ee7a85ddad1babce238df342b70bbae22b

SHA512
cc4d21dd5677cbfdf547480f7ce1a3846517da93c1fe471095dc783837fa96d723f9080d8d9aada63bbcbc020410830a2f58636d48680769d7ff071427a0f940

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
64be19caffae0b3959afd329e7d76bf8

SHA1
02e215ebbbb407c24707f6b729fa59fb0d8901d4

SHA256
b3950201bebb38f122d137194504a8bc1f08dd0aec10f381eb3972b65218d565

SHA512
4f819d2cb1389d00f7b704f7020cb283b8795fb874f60102c2337282ab6a0b8bc55c74322bbd053c0b0af21c0d5c7547a12b07cbda28f05ae58bb6975bb575ab

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
05f5dd3dabf68398f72c48edbd76c3c3

SHA1
ef337f18b04482edfd85e57c2f1aa09b1324b691

SHA256
6f02931835493e6e6034e5a8edd13daaccbfaadc1452b39faa44ec0102d6faa3

SHA512
d91158d63c0800779c9966418c325ae0e009dd3a6ed6131a7cc62c6edd3ce2e2a217306228cc520cbf9bc41622c14c71f79e10e4b08be6fa12194bf7d853389a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3cefda5d259b6909c279f2f97ef568eb

SHA1
7a498d05d6b7bc215f3bdbbb85cfaf5e81d2d6b8

SHA256
a2dcf286d56ce47a0e89a72574f570f3ffc7e949a8ea04b4ec32e48c1437fdbb

SHA512
b1126a44bdf6f9dc809758f5e85d8310963edd19feef1fafba1f74164fe3534f46d17475b77326dff8022db4d030924053c04c7c370b0d5cddb952ea24c7f0e2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5ffcdfe93688708e873930a3616c29ec

SHA1
d4060193a71abffd6d9b82cdd2d295c2bbaa5b72

SHA256
e5f5cd4b8f4f8bb79bcae918b02f3712ee66f73f981dfb059a9018a7eb3cb4e8

SHA512
1a619ddd9132b142544533a87331a63512506f3be8890306035b38e245f34fe86023d35cc18fcfac64e91ab551979211bd26b33ff2d1e925a71482bc0a0fec33

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fe279be0bc7f79f3f972672bbc314e13

SHA1
35cd31a5e0e619b42eadd84be5b9cd22cb6c8568

SHA256
75d067d21e9094742851f43fd10611fae0344e2b1db7079f956bb0f5ccf861ee

SHA512
4036cf417530949c131346653b2e9a4e36340e3e35a547a5474848c05e56e8a1381235aa3d2b288a867d81b2738a59683bbc4d973d271d67f573155d63417f0d

Download Submit
memory/860-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1016-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1092-513-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1092-334-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1156-318-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1296-247-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1296-231-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1612-668-0x0000019C48E10000-0x0000019C48E20000-memory.dmp

Filesize
64KB

Download
memory/1612-686-0x0000019C49940000-0x0000019C49941000-memory.dmp

Filesize
4KB

Download
memory/1612-669-0x0000019C49940000-0x0000019C49941000-memory.dmp

Filesize
4KB

Download
memory/1880-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2144-381-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2144-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2144-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2144-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2376-583-0x0000000000B50000-0x0000000000BB6000-memory.dmp

Filesize
408KB

Download
memory/2376-585-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/2788-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2788-382-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2800-361-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2800-194-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2800-202-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2800-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3056-139-0x0000000006E70000-0x0000000006F0C000-memory.dmp

Filesize
624KB

Download
memory/3056-138-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3056-133-0x0000000000310000-0x00000000004B0000-memory.dmp

Filesize
1.6MB

Download
memory/3056-137-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/3056-134-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/3056-135-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/3056-136-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3340-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3340-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3560-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3560-364-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3752-217-0x0000000001E60000-0x0000000001EC0000-memory.dmp

Filesize
384KB

Download
memory/3752-223-0x0000000001E60000-0x0000000001EC0000-memory.dmp

Filesize
384KB

Download
memory/3752-227-0x0000000001E60000-0x0000000001EC0000-memory.dmp

Filesize
384KB

Download
memory/3752-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3828-447-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3828-285-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4196-163-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4196-167-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4196-331-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4196-157-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4204-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4204-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4232-283-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4460-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4460-495-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4468-170-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4468-182-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4468-176-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4632-396-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4696-191-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4696-188-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4696-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4696-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4696-180-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4828-144-0x0000000003180000-0x00000000031E6000-memory.dmp

Filesize
408KB

Download
memory/4828-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4828-316-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4828-149-0x0000000003180000-0x00000000031E6000-memory.dmp

Filesize
408KB

Download
memory/4828-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4828-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4964-398-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4964-580-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5072-416-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5072-248-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download