blustealer | dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
908	alg.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5088	fxssvc.exe
4372	elevation_service.exe
1584	elevation_service.exe
5064	maintenanceservice.exe
4368	msdtc.exe
4420	OSE.EXE
3880	PerceptionSimulationService.exe
656	perfhost.exe
744	locator.exe
4360	SensorDataService.exe
1764	snmptrap.exe
564	spectrum.exe
960	ssh-agent.exe
2796	TieringEngineService.exe
4724	AgentService.exe
4320	vds.exe
3932	vssvc.exe
1796	wbengine.exe
4576	WmiApSrv.exe
4704	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9f3bd4abc0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1432 set thread context of 3404	1432	Quote 1345 rev.3.exe	92
PID 3404 set thread context of 4672	3404	Quote 1345 rev.3.exe	119

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{12B41477-B896-4CE0-B721-49B4FD6AD28D}\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9060db7367cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1eeddb8367cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a69b6ab9367cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000750bcfb6367cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000981612b4367cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009697da91367cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000658f54b7367cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a1da7b8367cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe
3404	Quote 1345 rev.3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3404	Quote 1345 rev.3.exe
Token: SeAuditPrivilege	5088	fxssvc.exe
Token: SeRestorePrivilege	2796	TieringEngineService.exe
Token: SeManageVolumePrivilege	2796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4724	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	1796	wbengine.exe
Token: SeRestorePrivilege	1796	wbengine.exe
Token: SeSecurityPrivilege	1796	wbengine.exe
Token: 33	4704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeDebugPrivilege	3404	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	3404	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	3404	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	3404	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	3404	Quote 1345 rev.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3404	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 1432 wrote to memory of 3404	1432	Quote 1345 rev.3.exe	92
PID 3404 wrote to memory of 4672	3404	Quote 1345 rev.3.exe	119
PID 3404 wrote to memory of 4672	3404	Quote 1345 rev.3.exe	119
PID 3404 wrote to memory of 4672	3404	Quote 1345 rev.3.exe	119
PID 3404 wrote to memory of 4672	3404	Quote 1345 rev.3.exe	119
PID 3404 wrote to memory of 4672	3404	Quote 1345 rev.3.exe	119
PID 4704 wrote to memory of 4376	4704	SearchIndexer.exe	120
PID 4704 wrote to memory of 4376	4704	SearchIndexer.exe	120
PID 4704 wrote to memory of 2148	4704	SearchIndexer.exe	121
PID 4704 wrote to memory of 2148	4704	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4368

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4360

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:564

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4376
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
235791bc93f488903d8256d3bdecfb67

SHA1
7bd3a050739bd0070e3ba38152d82f9650b5ea34

SHA256
81dac74883dec2b7b81dad27b0f4e26afb0e0d8e5f7ab391a0d4f175e2566f3c

SHA512
f2cbf84a40da4a6c92e0ae33088e431790f3d1fec23948233083dfb21d8e0e67984e15de1477b1a7da01a0c1d9938ecbeb7c19c277a3dc15356d166510fe14bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
772a1b122bc94e0ef865375497fd5173

SHA1
51efe02401ad216a1e8c10e3d750cd6c3b604487

SHA256
2f61a29406d566ecf2527241c9a62c09221f3c69b7b34d3144cac2bbca9cef61

SHA512
8519ec7f6404bede17f1250e1f5267fc5d52cfe2654f19b0ad7cc74e37f2a083d95f881204136e01dec1f6e591cf98cab7111850e2dd9675f3bed5e046de53aa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
29af44788e8c2f5f868984d706249f73

SHA1
d9c9be2b2e255aa4193bcbf48b90a261997448a4

SHA256
82d0cc8610c9da8d117eaa8618effcd50ee5812174de7b6cad3aec32797c8f28

SHA512
d207c9bd7da451bb49d1664fdc750c082abcfd95f648e97f73bfb2348906bb689a9da5cc1c9e743452c8e424f3e585040515aa524efd78f1aec6d621720f75b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8938157c5cfe791eb0d5a60876cacfdf

SHA1
d4761d9ffe4fbce565df0e9042c2491173154393

SHA256
7eaac00a07a664020ad9713a1964428506820dd0bbe4ba5e0ccc6c839cdea682

SHA512
37bb7b5501e9eec5bcf7a5d3cd3de8dc3546d8e7cb27d002a5340f3a14e7d31c103231c55a3f383cfb8c9887083ee8800c225ece6f6d662f9c3d7b663d1f6bb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c543ef47d45d8b34fc6c5daa0b1b9b52

SHA1
59bc52f381566e3d52db9c2c8b783a1aabcec7f2

SHA256
4dfd126315cbc7a530d2ee70636f0091b01714b78d5fa68b2ab351ff8e91c1eb

SHA512
a5685afe8ac4cb18fe7c0b0759b1b757932af1ca7b082bea7f327680ecd003296ffb76338b738fe6fcd7832917f1cefb078bbe28577ae64806345d4b8687afbb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
94f6b81efb9761b329511ff6e03af6ab

SHA1
ee9e603c55274fdf1c5666487c597494de2db695

SHA256
5bfc5cfdc1e8d3dfca8e9442eb7446ed2131a4abb8f84172fb6c9c0e719c29d7

SHA512
404f1e162ecea08d32f00617cef0ac9914be05dfef4a18c221148d74560bca49572de60c1ca72307bf74da590af2174caf4fa96f79928981f252efe72bdc2f2a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
de8a11550b01aa775081ff586c34a004

SHA1
ffb92a1ed5ebb452e75ef859d6294579a2671c50

SHA256
ebea6f08f1ec3cbf6300c186d05242a4e871e85d88be45296eec8cbf3bfac167

SHA512
f4578fe511181f777b5a68ba9160b1248832fba6bcfd251e78caa4a8ba8110cbba29df303fc2af919e27056e67975b8603c9ae48478f415ed21d0a37d9f9191d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c4e958fbe681fa001a5c4477afea220e

SHA1
1c37dcc4c79554eafb177b5e36bee7d8ee12064a

SHA256
9f8cfa7c4957ad87d43bd5003692906343eca9466275066e50c922714bb5f49b

SHA512
71bbb085e536bbbf38f29fcae5e735ed7399e1f3e3c36b08020407795091c4719dd78d24472961f626ab442fdf0f2a086522b4bf63bd9c9b931197a4c5b45a67

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
466d70bf7eb1732c57f25bedbe285282

SHA1
b2de4ef7b84e6dd62674d87e483f405ddff092a9

SHA256
2869e9352eec74d6cf23f6a7a7765696e6ad4214df6d443e21f9b0a08b683ef9

SHA512
3916e9cbe5027f28769bed8aa608263904dbd100a5959735e09cd884cd32492b5c77816dc542f64169afc7410e7a62769359278b2aca98f251bdb7706ab7f4e1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65f0d9aa248c7714f67164dc993016bd

SHA1
82f9bb8c5e8a0639da2d2b1a374df6045adb8aeb

SHA256
e416ce822a2e0c982086a846fbb138020a1aea7d775ac82e20c161fbe496331b

SHA512
4e4991e15da272e45c0d463df22f204d69e00fdf68317bd8965cfbd97ae98d9a877dffea2920ec027f342b4b10e669bbff17df43681672930ec9fadcedd99887

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65f0d9aa248c7714f67164dc993016bd

SHA1
82f9bb8c5e8a0639da2d2b1a374df6045adb8aeb

SHA256
e416ce822a2e0c982086a846fbb138020a1aea7d775ac82e20c161fbe496331b

SHA512
4e4991e15da272e45c0d463df22f204d69e00fdf68317bd8965cfbd97ae98d9a877dffea2920ec027f342b4b10e669bbff17df43681672930ec9fadcedd99887

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f78599b31d65fae912cf298ad79a163b

SHA1
3c9fa0b5cde8b72381d594f87515bac68ee82217

SHA256
75d7a9e58a91acd9aeaa07967db82eaed905edae39be0c5776dafb40970e864b

SHA512
4b27143e2769f3a2add3708e1ef262dad1d34f50f5379d8eb4ca8d3f2966e824b172607f026dfe9831609377d8c364ba9a598a161323d2b6070a845b309b382f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9312c43a716120bedb7e012a6cfe2791

SHA1
3dacdb31d250ae84b3ceef345366064cd2b4c4e3

SHA256
5f8c074f84a081e2b8bc6159dcd5a223442bc0d6fe520826d184e1e53f9ff873

SHA512
c0d3b9dcc479c73d104c0c858b1a781b981555ea3a97c0f252384698df2afa69c8ea13c353feb2995dfcea45aee82412ef2242d2186e29254bca8a4743783dfc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
edfc82f41046bc79efcc9e51c1eb41ff

SHA1
30724668c5e531b4b933c7f8bb6b0827212f02b6

SHA256
043b10280177801e7b13fefba1274a38f9b51a6ef5279095531c1c07bff9c438

SHA512
3d220a7dcdc608c1194ce5aae4c96066e6825b4051d51e8ae852c7518056f57c0ea45182037eca95575ee7ca19a184b36b1d80f9ada546428e94fdcae085825f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
586b8737ff34d8552dd131f0dbd9b442

SHA1
30cf524936656cfd778f59e60c3151f602074eef

SHA256
d416335455f13a7a9f3ea65fe7eea0a8083a820e1a46ce0baa06208cddf6b8fa

SHA512
670c80ef4dbbcc31175b218ff6f6e7ebd8b05ba429790754f8e466eaaf2046f08ba62fe575ac305120423f96e8c2337c853b90fb7afec7c7fb10c65c39562728

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
409dd794341d8180545b73a8f104746f

SHA1
bb6bf500d53d321d3f2141024b8863666e8a2f25

SHA256
03d4aad3b9d0772414f015cf2573bbceeb65903e8c7b07ba4647645ee5ee0b9f

SHA512
eb35883a5ede5914fdfd297e58cdaecb1719d3d0436e77a8fe7262ac54bba0b0475d44e762d015e7d184fece47a6707bd6a83979bf737573d9163fe2ab50bf63

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e6bbbc72cdcd70edca3ddc6b97f3358

SHA1
a412ad6f38922e0a459d81c7e6dd37654fcc8c1c

SHA256
de427cfa7556664ce658096e681fb396cfe8645d7df1f068c649817e88034fec

SHA512
0ee709457c93be358cd6ed0e6a17e1eb98d03c780fb767c67e6e383118425ccbbef0912f903fdcb7d7b60bfd0e5984cfdd4d922134d50b88ab1b3fcccfe0dc5d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
897b5adff85a82501bd1b8acd971ea53

SHA1
8e239681bdcbf84b4053f36c55308c83b76ca971

SHA256
d535db236e59e212e393ba97050225bd424888b0a7c1c302c6e75e3a58f769c8

SHA512
ad51ff1a33d28b723034515a5f3842b2fc3ecd9ebb82e6ef1b5f25bce2e45819313ebe67d0733c90ec868fed356781371313bd4940c66a546750be3622b81da5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c2c05321d825e529e9ea3d0fb9490802

SHA1
b24c8322d4976b7353e1db22bd87e6b50f4df9e4

SHA256
b5643f1dd5094062d8352aebbdc317b9af60e0475fa4aa4d85136691e5a675da

SHA512
848a8ebaa37034ba6c058a56d19f2521077739294e7f86b2dff549de7b876565533d8ba154a0fa66d3e401b3ccaadb116ece1abb7bfd3cced34d049260908e62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
68d6bcb3ccb89afb836437cbe4fc99f5

SHA1
a0e079fd7e492632ad5f1fca59695bb82f33adf8

SHA256
0cc4bd52c9f8ffeb76b08b194e0c0da812b3d667da9ad107918a82b5cb2d57ea

SHA512
210e5b18fa306e5e23e1f280d3abd52dab465bd2c976d2d2650d55f001ef427b8cef95260c91e21a41674abb05dd1cf1e492ce971d86edafe0ea5e95303e6d56

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d6117c4ec0f0671ac640a4b32010a537

SHA1
96967ccf63f91a0b2fc139a4fb68e988d127a9a6

SHA256
803491667de451fd8f2c846f775822b529dcdc8b8c9a7a3b1b0e7b993152309e

SHA512
4ec425c3d10ad6fd18e27acf647178991e28f77ee113bee19534c35a96a0852e85fbe9cf12f796db1681926d4cb383e5ec1287218878caf5132bc7950409a16d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c2bcdfb349b356186caba26154c30680

SHA1
a21881e514ea0a1bb35d0083bd0c6c9b9904ef0b

SHA256
a0747113f94a892d9dec074bd785788edb59f93e122923c9690521fbcc81eeae

SHA512
2adf795ff8b28837fff0e02e11a4b7c1ccc79c553040e8f87fb974907e93b5dc39124485f9e1e5b7ba60b60b91880bae37cfd839668ff11fc3031ba24e873320

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
951ee305339ed875d363c262fe85bd2e

SHA1
ab92d9d84f9870d07d30c18e7d403bf31467ef69

SHA256
fbef1266300f710fe5edd8a661b1b9a4ea8ab17b433847ed4a6e988b8eb849c9

SHA512
a6bdd0d2743d90b3951f79d2164006b5134b27519bebd1660955fc44f6ed662f39a684baebb3d443d2e978144c4c169b7f3e375be95d0a2efece4da304a33c91

Download Submit
memory/564-576-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/564-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/656-287-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/744-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/908-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/908-163-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/908-157-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/960-329-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/960-578-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1432-138-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1432-134-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/1432-135-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/1432-136-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/1432-133-0x0000000000790000-0x0000000000930000-memory.dmp

Filesize
1.6MB

Download
memory/1432-137-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1432-139-0x0000000007270000-0x000000000730C000-memory.dmp

Filesize
624KB

Download
memory/1584-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1584-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1584-405-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1584-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1764-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1764-558-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1796-388-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1796-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2148-767-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-720-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-768-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-766-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-712-0x000001F03FB50000-0x000001F03FB60000-memory.dmp

Filesize
64KB

Download
memory/2148-713-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-765-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-736-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-719-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-721-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-722-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-764-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2148-723-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-724-0x000001F03FB80000-0x000001F03FB90000-memory.dmp

Filesize
64KB

Download
memory/2148-735-0x000001F03FB80000-0x000001F03FB9A000-memory.dmp

Filesize
104KB

Download
memory/2148-737-0x000001F03FC70000-0x000001F03FC80000-memory.dmp

Filesize
64KB

Download
memory/2796-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2796-585-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3404-147-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3404-325-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3404-150-0x0000000003270000-0x00000000032D6000-memory.dmp

Filesize
408KB

Download
memory/3404-144-0x0000000003270000-0x00000000032D6000-memory.dmp

Filesize
408KB

Download
memory/3404-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3404-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3880-450-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3880-258-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3932-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-386-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4320-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4320-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4360-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4368-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4368-232-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4368-427-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4372-192-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4372-198-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4372-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4372-383-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4420-257-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4576-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4576-603-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4672-501-0x0000000000D00000-0x0000000000D66000-memory.dmp

Filesize
408KB

Download
memory/4704-422-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4704-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4724-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5024-183-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/5024-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/5024-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/5064-224-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5064-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5064-216-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5064-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5064-227-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5088-200-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5088-184-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5088-180-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5088-188-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5088-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download