blustealer | 427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.4MB
MD5

34aa0ca40863c30653a0b6ba10d3daa2
SHA1

c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
SHA256

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
SHA512

34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
SSDEEP

24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4880	alg.exe
3840	DiagnosticsHub.StandardCollector.Service.exe
4412	fxssvc.exe
3024	elevation_service.exe
3928	elevation_service.exe
2264	maintenanceservice.exe
4628	msdtc.exe
1948	OSE.EXE
548	PerceptionSimulationService.exe
4752	perfhost.exe
4568	locator.exe
1320	SensorDataService.exe
3304	snmptrap.exe
4156	spectrum.exe
1116	ssh-agent.exe
4376	TieringEngineService.exe
3296	AgentService.exe
3864	vds.exe
3972	vssvc.exe
976	wbengine.exe
2136	WmiApSrv.exe
1412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e5d77ec8c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 1668	3140	Quote 1345 rev.3.exe	89
PID 1668 set thread context of 1484	1668	Quote 1345 rev.3.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fe25af76945d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006455b1016a45d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015b5cff76945d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eb52c006a45d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ce41cf76945d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Quote 1345 rev.3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Quote 1345 rev.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Quote 1345 rev.3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Quote 1345 rev.3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Quote 1345 rev.3.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe
1668	Quote 1345 rev.3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1668	Quote 1345 rev.3.exe
Token: SeAuditPrivilege	4412	fxssvc.exe
Token: SeRestorePrivilege	4376	TieringEngineService.exe
Token: SeManageVolumePrivilege	4376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3296	AgentService.exe
Token: SeBackupPrivilege	3972	vssvc.exe
Token: SeRestorePrivilege	3972	vssvc.exe
Token: SeAuditPrivilege	3972	vssvc.exe
Token: SeBackupPrivilege	976	wbengine.exe
Token: SeRestorePrivilege	976	wbengine.exe
Token: SeSecurityPrivilege	976	wbengine.exe
Token: 33	1412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeDebugPrivilege	1668	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1668	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1668	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1668	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	1668	Quote 1345 rev.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 3140 wrote to memory of 1668	3140	Quote 1345 rev.3.exe	89
PID 1668 wrote to memory of 1484	1668	Quote 1345 rev.3.exe	95
PID 1668 wrote to memory of 1484	1668	Quote 1345 rev.3.exe	95
PID 1668 wrote to memory of 1484	1668	Quote 1345 rev.3.exe	95
PID 1668 wrote to memory of 1484	1668	Quote 1345 rev.3.exe	95
PID 1668 wrote to memory of 1484	1668	Quote 1345 rev.3.exe	95
PID 1412 wrote to memory of 2108	1412	SearchIndexer.exe	117
PID 1412 wrote to memory of 2108	1412	SearchIndexer.exe	117
PID 1412 wrote to memory of 1452	1412	SearchIndexer.exe	118
PID 1412 wrote to memory of 1452	1412	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3928

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3352

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5b5a3bd0c5526b6c4a30b104e75553a9

SHA1
3b98f8cde3fff8accced880237fc877f502b9fcf

SHA256
dc063a3b18476064bbfd87f3030a7e5c75013fc680f512a4b7aa53f644a5ffed

SHA512
ca02a2e1552705a8ec3f35f9ffb99dca8b8fe5189b196d200ed77a4fa1a3718fcb6ebdc309bb7ca2d59c2d6bda8fda0485147c602efbab7b9e5e28aa49b48e72

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8ea9a0658ede6f6a0e7d2c029efd7cb1

SHA1
73c931811286509979c59384b745b04d0f6b22fe

SHA256
2639b9bb0298b0c5f69625e27b96c5d92357c9d20fd2be3ce66eecdb5693ede1

SHA512
af0573b47ef72b65db12b520206ee8294fc0f376aee797758f30e9384cd818fbe4f76e2b7fc50320cea3ec1c858aa6b0b95268632ed37abf330b76f1028b4eb5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8ea9a0658ede6f6a0e7d2c029efd7cb1

SHA1
73c931811286509979c59384b745b04d0f6b22fe

SHA256
2639b9bb0298b0c5f69625e27b96c5d92357c9d20fd2be3ce66eecdb5693ede1

SHA512
af0573b47ef72b65db12b520206ee8294fc0f376aee797758f30e9384cd818fbe4f76e2b7fc50320cea3ec1c858aa6b0b95268632ed37abf330b76f1028b4eb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
512KB

MD5
94630757d1664e85d3f26c02914b9977

SHA1
9e051be84da674af92369549eebc1a140f22a6a6

SHA256
4265d4b4d16cb7dec820e1e6d54e4f8dd0b5603a4932ffa0ee81512536c70810

SHA512
84259bdb6ec548efe3a32389f116867c1260dc6d475a227aa22c9af8a037e7d7113bb25a5341fd099e0e5e0a69b3cc2d3ed0b048bc119fa65fe25bfd39bc5b3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
512KB

MD5
6916ee9cd2a68aa5b24c9576b75beac5

SHA1
5a8754e75737e2f745322c2cb6a22ba948667d38

SHA256
1ed88ae418d1b469c70dfa667c542f462c5ad556d06dbe2474a14f342c713719

SHA512
130568f8f5edcf3064f7bec8ab94616e4d7aeb20e4459ad9a9b1da9de8345eaa272a3b959d638394bbfef3b796fd2bd75601f147cdd8da5e3267dacd94775d2d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
384KB

MD5
d4054559f099edd4bb1be6c75dee46cd

SHA1
8b1b74268c92f4a66f97a74aa32f00878b11a306

SHA256
d1dbd054f5788753ab61a960e57955ace450e47786f908f39d7f18561fc1c4a3

SHA512
2c32c3f20d40deccc171a86a6c08481942166b40bb5cc5b14fdf8c01eee38ad0a9eaec00dccf50c4b107a91b5f2f1b2d0a658660cfc78ca01ff15ef5ad1c1ee5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6919167b609742e63502cdd8c4f27d9a

SHA1
20f251046d5444634ec30f8cd045b72df139b89d

SHA256
00e7954df39c936bdf1f37443bd17f884ce1e1b155f3f5326e5391fdb046dc49

SHA512
56b42f5c98829c0820419f5bc4e6f805539851a0545eb7e1944aec9c59005190859fd40c92e3704137ca6f76804556982262e04d67639be9f0bb88f4fb135ee7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
192KB

MD5
1537a8b1354827bc277235821ab20f66

SHA1
fdf8b4f9d5e061f06ce4bca0010023a7895b6260

SHA256
c5946ed49dce888ec74801fa7992b5a2290c10a21ec15c92285e7b85ca06caca

SHA512
df802d59104d9137294b7aa792ce708b11e24671a9d85e06ab5a581cacc4c592b5db4648c1af1df57049cad88edd0213eae210602a5d0ece21c9ec0b39f5b19e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d06db55d2f11ac8c0f88b61df3f40ca4

SHA1
a50b3d366a53920b8553011423bc407ac3349044

SHA256
29116f2285ad166b416fa7459a5ffdb7c54ad362c5203cb5b93af55d4b51eee0

SHA512
c115d82b50922efa0c514c03e88a2759053ca116c0b72444ff29ada098298d41fdbeb1c44279b52c31d5d9d7d76fdd6f49b5135619f77f41ac17f108e1844584

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
192KB

MD5
87c76cb5b23d805cbf6a8c11e98c74fe

SHA1
aa4288b1ab3ab565a4974b4b6c68b4cffa5fef7a

SHA256
9b0892962670aff4c85a0450bd7b851406c99affe70cfee27281473bcfe14c81

SHA512
1831ef21592faf0f1b23459862b0a33c07dd24a45e047484b35a357afcf612d367147e3bd0d57ac47ffc5ec8906bc0237b8e12c48d9fe5b2dd02dfe50846b000

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
192KB

MD5
c7a2c16642bcfb6018f19756f78dafd0

SHA1
08b1cd33c80bebb3c3aca2c5d398d53576e58d3d

SHA256
7be64608864cd22fcdbce21e847f5074c799371da0ff62cbfa14cdeff99aff90

SHA512
74ca7bb599334aa2b9ccfda7c93f145f9f7f247a2f65f05e789bb73c673a0814b38938ff430dd3355e0236ff6a15b977e10cc7dbfcf2ab848f908b8ba61d2834

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
146KB

MD5
f7fca1b9f43482560221ddc9995ff4d8

SHA1
791296fea86deacc7608fec23d27b7cce3852988

SHA256
f570fb8eb20c52ff8ba76387e420ded581e837b402cdc561f83651f19fcbc17d

SHA512
cacae0ed9512723d429e96828279be021923016f78139299655e6c572bb6482ee28e42bb98f308bbfa9697f32db378068069e91d8c8b36365283ef8049fb6385

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
128KB

MD5
64651613b75c984ed737cb7002c6114a

SHA1
78daff0f7cf7d8ecbfbed2333160830924048ab7

SHA256
ff74770e5956c4254180539a86892073ea515d07f399085a3fd3810c5030e96b

SHA512
40a386f813b5e0d4208d6dbf6671cac056ef23fad481fb396469fad4a0fdfb98ccdcdbb6f9b8df7d5f01fa555882b51bdaa71ff792e86126c9fc2cd5efec117b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
128KB

MD5
9a1c7d3f021db9da9b7a518ee4742eeb

SHA1
95805bde4d7bbf000a137ece871f321c7b7fd405

SHA256
6e49fc7d39c590f25aa5076a648bfe9b76774da185ea4fc8e7136c3a9426259f

SHA512
0664361e816f2e21e9e28b0ecc3c747827a0a1a71dec4d4cb27075aa3ca85114f4a9602c342573bbe15716eed7885625aa8f929fa4c45a4658f70969de9c8d5b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
128KB

MD5
d3005c84dc52381831fe77d925d5f682

SHA1
9bae3eaad55191625d85be10788f1a26d9a34b5a

SHA256
cf38db6b11841444cd3095ece15d78abf7fabf2dd8a6962baf2542eadfc4114b

SHA512
a35c050b68e95216642893191c9ad82a4f7c626b44abfa79849188d1224c12d0295143f647b2fb8f78c91236d36fb60564129f1e1d59544ce366974731f85af3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ded4d50d677f9660fef3a492488b2fa2

SHA1
1c1bf61d50960f58efa89fec8446d02be2be1b27

SHA256
7acf9a4031736d7e6231f16cc37be0694cf8af7a5d9fdb0f0bd105f9c67365a6

SHA512
7349ff20134e80bf6f5fcd9b17026cd25927858380382f412f0dd5a3c6dbbad91383a35555532fa550b14412ad5fd39e882d01c7eafbc0349edd7d006a5453f2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9a19dd1ef376977283ec918f9bb9fbd4

SHA1
b122524e26599b0e0902b6a06efd16efd10929a4

SHA256
2728a3d5673816e6aecb5ee03ffbfbc0b95d8b4cafc2218688bd2d589a8ccb05

SHA512
da733da9b172146ffc2e572e07363f8fad957928e32ae509ec1afb6072ac8ca7fce6051345b75c0adb8d70677027777e9141f7e355b6899ca8d7f3a3785ba53f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7ec5200cc6ac30dec185c935646a69cb

SHA1
e138c265099f23060533826b45df61ad171cc10d

SHA256
4cb106ee29bd9239c64ac5dba21faa184ffe9e9cf08dd5a4e2b6c3b42a280720

SHA512
08fc7e3888edf6ae3b7573ef42aa7ad06c188012d63893bfa07908f1e94105b0e03d8d37c397654cc12530f4e7e67127f5c21ff1ebdb84c74c6559a55b560159

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ded5644395bb80f2b65f5d6a87ec9e76

SHA1
b315357eb43a652bb04c777e27bc7eaf4638e335

SHA256
0d6c65c2f7553b5a50146162b668c0a1f26b6b6952113338fcd1a8c5e59d9c4a

SHA512
14e321eec7de1eed8807e0385434f0712972c57411e4a007c059b84268251aacc85c581533fe6cd8593115453182ab71faa8e03a749a61b2441115e3aa7a78c5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4828775028cc35231254e3f21d305c69

SHA1
18b3c3fe6b36422ebdcca53575c7220a6b204eda

SHA256
4a7c1d9ece291ea19c5714bb4e66644c2c24168d78d4af409b1a4d23fc1f19dc

SHA512
383a0ac52c1ddc040b64d45c96ebd51dee3566c9ac4dad576ddb09e7f065af2475284a8255e25c88362f69c2a255ecdfa885419b78d7b0fc9ebe0a0ac6a2acfa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
21e68ce71ad642be38815862ea3ab916

SHA1
81e2299775c8010e88b4f6dc4c731fc8a466bf3e

SHA256
fa6f0fbab490b8bd84b303d7d370b752bf258b8d25ed280717c495b06da61a82

SHA512
631161f521b34d7fa787f21c50cb323ecad16f00fbfd12e1775c81e4fe142368738da8482d6fe3bfc85ccf3ddd6e1aab2bf0ed337da4693743602b4ba647d48f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d0cabb1bed83b787eecbb87c9d672a9a

SHA1
6227e3ba6e5385d9696254d0c8e4b178b710b5ea

SHA256
a2e00e44dbfea3f68a2e8b0b8e168273157392c112d266022f7d8d19d09b7ec5

SHA512
d94b6f8337cb777686405f8faf5a532bcfc676a529c2921bf5748d04718b2baa45cc6cb503e0ccfbc3a130f0aaf6b31811cba944c083b06e93be29581a64d485

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d0cabb1bed83b787eecbb87c9d672a9a

SHA1
6227e3ba6e5385d9696254d0c8e4b178b710b5ea

SHA256
a2e00e44dbfea3f68a2e8b0b8e168273157392c112d266022f7d8d19d09b7ec5

SHA512
d94b6f8337cb777686405f8faf5a532bcfc676a529c2921bf5748d04718b2baa45cc6cb503e0ccfbc3a130f0aaf6b31811cba944c083b06e93be29581a64d485

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c8731eaa50e32f23ab8a0298747d7c0d

SHA1
f619dd4405eefcfef52e86fa0f29e974dd4a7b8a

SHA256
8237753f7720566997a852aa4f5b497578757aef517450192453084f2d4dee78

SHA512
e87f80c26197bd8ac84896125c51774f8409b81afeabe5765fffc56db0cb13d05ba1b46f1def220d51a7b9f749b5e07a1a50e8c82e9ca158fba22b1ae82a3bc4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5a43b62b5f87980d766e1999f7b1df79

SHA1
1daff7d227cb182158a67166d823e9a8c83a664d

SHA256
273d9609271282bdfd16d606a4b9beb1ac6c7ab1676c69985541c7f3afbca592

SHA512
5cc92853ac2ea0c8638d5bb15b96865927f17a7ae111baf20f7348688b683c43d91bd879a9296a484eaf65640943f85a13489969b61287de17db42d10848378c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e98e4aeecb60df4e613509ea74a8c62d

SHA1
4b391ac85f371f749465d6f80c9ae829cf9f42d6

SHA256
c142013ce7bfb3d4f9cf747fdbc5fc76567669997240f1439c7b906652a86c03

SHA512
bd0cda2f119e4354a3a3b979c98c73067be7304f8fbb4e851a9bdbc820babfce9fdf07a5660b0fc77fea0892bf589f9ae60f1b2a180cb5f1394bf9347688d813

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e98e4aeecb60df4e613509ea74a8c62d

SHA1
4b391ac85f371f749465d6f80c9ae829cf9f42d6

SHA256
c142013ce7bfb3d4f9cf747fdbc5fc76567669997240f1439c7b906652a86c03

SHA512
bd0cda2f119e4354a3a3b979c98c73067be7304f8fbb4e851a9bdbc820babfce9fdf07a5660b0fc77fea0892bf589f9ae60f1b2a180cb5f1394bf9347688d813

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a6388aac1ad7eb0dc1ee9793e343f68a

SHA1
2d1f177d29a85a5d7d260b90f8a57ed6959f2ff2

SHA256
a3f31b37918eee092253b5c1cd6b493603b80bb3c321c88271bf1073cabe1fc0

SHA512
bc55b979dba9245491b9b85ddac2db841423b756430f2e941bb2e6afdda841bed98228a51c2c04416114058af13f0af87806ea5544dfd962ec0cd55990869f31

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2271403ebdd19190e5638b19ae78acaa

SHA1
382259ace328ef02dadc9bf075d89ca3eb08b934

SHA256
c888c5496e40637e38f01a47989fc2be82afefcc311fac68c64960cb0791b27c

SHA512
66ba4cfa3710ef0811f03f7e07754fe0938c0b59a4861140c2a5e9610568154ba9a02ab75b23ffdd2e39947f9df167457b1eaaf3f8d6c48aebd2fdf765857b78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a91fff63f63fc3b3b9fed0c6d2f8325

SHA1
049d228b4a3d780aea10c18bb81bbbe19467d3eb

SHA256
0a0457338c953c88b70b8efd27266b38ba51266fa0a09e1a2a31fe31979deaca

SHA512
200a2db93d23e219532b6db6648e27f0929259151daaf281681a0238fbcb4f37a045a23ad83fe7a8ac4c887a2e14773b5c5dbfba1b256c14aaca19e5aaf87d35

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
053bb1142a1e6dfdbf47c5e08fad70d4

SHA1
f7c1a9a9f29a08880d167c7176cfa6037303b647

SHA256
6fd0addd01f912399d873dc513366891f72a8071a502b935d809bcc0488a21c4

SHA512
1b4fff747bfad85b273285f6fab75a6762c9c2ff9de7708c9feb2bc694a01bd6c31ae26ff27dfd276eb877bc0fbbf2f4ba58a52e4bf8820442d8b0dbcf660906

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
47912a29b04ceb0545a8a3ab1d6b7083

SHA1
c5dff3ca82de4c6e7cee8b179a4361ad577dada0

SHA256
edc0e87a8deccc1175fbd54f652c7d651d84359ee8cdb562bcc8d6f78c07abf4

SHA512
cc4e928cd1a9196d23734d69a2fabfd2097f99906ff94f50a396659570cc6090558cfdd942951c27bf437e0ff3263f407a9cf428f9f2fef361b3488969d56af7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bc2d3b8b84cf9cfe95ceda79668f2bbc

SHA1
b0e9f4c2663166b0349e119f14473d5e8ce32b13

SHA256
927117727a673081add8f8a769c38ce8385daf22d3e50c4001eed34dd8dce4ae

SHA512
b2cc847c3c4666564291b45033be95d46cc4c837656fcb663477a2347f91eeb5acb356c5a9adb4c37e05f5a96284c3451dc53a2ffa71c9d05abdf904a892671d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2b7c5ff8e5ab7c45b314288eced0299c

SHA1
163558ec388ffb55c7f0b9f8ee3e89129e3c385c

SHA256
2e9fd53796f3efcd9244addc5a0affcfcafb63a0378188515cdedaea94639744

SHA512
87966d31a75bf713aceb7fdd05756bdba60f25d4992964ace4c5fe2c9d9677b9c72dffc10cd0db26cea5a0e01d75d0670d543bc89840abaa709d054f58bf4150

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6b22db4b854f3a1304ce03ae6663bf6b

SHA1
0f7fc6fcc632e26d72cac69e1fead1a2ef0b6d12

SHA256
b399990dd96eb9164782d7897543da7311ab3cbda656f5a093584d8b27d10c0c

SHA512
69251478e2f5f7230d76efac3dc69ffd049138b9eb5c03487a724dbc5c7e95e96884d754f2334cf3b8fdd0174704a0cfc02c7a60180460bdf6ad5d08f3cad053

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd29d7257ae6c64f25992e0af8ddaea8

SHA1
bce1e669c0ac67c991e2bfcffb26c6957e8fdbe6

SHA256
6d236423b80122920a6a320abb4e36a2002e5fbb8b29d52aa125b33f6caff668

SHA512
0fcbeb09c803a85422cca28f8b4e9760a9a41cd91ec64fec6db08baac049cb74d319d940860cdfcd83d0f0f6f4e084950eb57d5ad2c50ba70fb1c6ffddf061f1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
7ec5200cc6ac30dec185c935646a69cb

SHA1
e138c265099f23060533826b45df61ad171cc10d

SHA256
4cb106ee29bd9239c64ac5dba21faa184ffe9e9cf08dd5a4e2b6c3b42a280720

SHA512
08fc7e3888edf6ae3b7573ef42aa7ad06c188012d63893bfa07908f1e94105b0e03d8d37c397654cc12530f4e7e67127f5c21ff1ebdb84c74c6559a55b560159

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ec5b86c9aa10cf3ec693f427c6c8954e

SHA1
03336a3b80cb3ae960276cf3956dd4e14572f5c1

SHA256
2d4b6d62cb69ab4dd8627017ad87a7f59a62418e2c7f942ee6b4d5e2416734eb

SHA512
80c95784d61402edc9f7dab51793e1a1dd5e33188d3e4ea421de76732b6fb5a69feac0481de52f7050b2e292c1d988c4cf289afe48c5bd92c246c10f0e0da01b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
155b90a7196289606cf9569ed8fdb8e5

SHA1
6691f163c0af1f3091bd30317bd72dd4b81eccb2

SHA256
34d09dfb57f1c76c515a031b6f96eb8c491bf39445ac0b82a5c12712bb7e2c25

SHA512
63cf203d27b96306a6b342e4e68c2c808aad4de4a5c72f0127475d0210720c9da3dbcbffd0b70ed9cc54655ad1b02b994190c852b3023f6897f6b3b58ce88d07

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
4828775028cc35231254e3f21d305c69

SHA1
18b3c3fe6b36422ebdcca53575c7220a6b204eda

SHA256
4a7c1d9ece291ea19c5714bb4e66644c2c24168d78d4af409b1a4d23fc1f19dc

SHA512
383a0ac52c1ddc040b64d45c96ebd51dee3566c9ac4dad576ddb09e7f065af2475284a8255e25c88362f69c2a255ecdfa885419b78d7b0fc9ebe0a0ac6a2acfa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3ac4b2ef6e5927991305ec20dd68c0bf

SHA1
3263e9d8a0c3f9524563c6ec4153440c3afc6931

SHA256
eb7b43c93a0e220a7ae65fedda641f2288c1991637886d759b9afa94a95775d8

SHA512
49a8b8c1e78d9206c4f14f52d5dbb32d25550c1f0c3d7f34e97d2116eb308de9e9b8f93e9b02b0c739b4643d1fbecbbccc652286afc1e2c398bf8ed9bbaacd37

Download Submit
C:\odt\office2016setup.exe

Filesize
1.2MB

MD5
80d1c02cb85fffa7c1305674811ebf08

SHA1
fdb96813df5fac1ae99c8e758bf50aaefbc45d34

SHA256
90b74c4fa2ba9219e6ff04098f901c948d3d5087821b04b7b09b82d6cb62d240

SHA512
d60f91fb7c9c5b73799d7dcbf322661e6a3347b2d13b10d13b7f6c5a6596ac141e16a300d2117f9754da5e848636bd112ddd9992d7e59ca191a29a4e340f5767

Download Submit
memory/548-278-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/976-399-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1116-331-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1116-591-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1320-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1320-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1412-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-421-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-654-0x0000019FF2240000-0x0000019FF2250000-memory.dmp

Filesize
64KB

Download
memory/1452-704-0x0000019FF2250000-0x0000019FF2299000-memory.dmp

Filesize
292KB

Download
memory/1452-825-0x0000019FF23B0000-0x0000019FF23C0000-memory.dmp

Filesize
64KB

Download
memory/1452-824-0x0000019FF23B0000-0x0000019FF23C0000-memory.dmp

Filesize
64KB

Download
memory/1452-823-0x0000019FF23B0000-0x0000019FF23C0000-memory.dmp

Filesize
64KB

Download
memory/1452-783-0x0000019FF23B0000-0x0000019FF23B1000-memory.dmp

Filesize
4KB

Download
memory/1452-651-0x0000019FF1FB0000-0x0000019FF1FC0000-memory.dmp

Filesize
64KB

Download
memory/1452-722-0x0000019FF23B0000-0x0000019FF23C0000-memory.dmp

Filesize
64KB

Download
memory/1452-721-0x0000019FF23B0000-0x0000019FF23C0000-memory.dmp

Filesize
64KB

Download
memory/1452-655-0x0000019FF2250000-0x0000019FF2260000-memory.dmp

Filesize
64KB

Download
memory/1452-668-0x0000019FF2240000-0x0000019FF2250000-memory.dmp

Filesize
64KB

Download
memory/1484-201-0x0000000000F30000-0x0000000000F96000-memory.dmp

Filesize
408KB

Download
memory/1668-396-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1668-149-0x00000000039D0000-0x0000000003A36000-memory.dmp

Filesize
408KB

Download
memory/1668-161-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1668-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1668-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1668-144-0x00000000039D0000-0x0000000003A36000-memory.dmp

Filesize
408KB

Download
memory/1948-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2136-650-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2136-402-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2264-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2264-224-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2264-227-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2264-218-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3024-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3024-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3024-202-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3024-480-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3140-133-0x0000000000710000-0x000000000087C000-memory.dmp

Filesize
1.4MB

Download
memory/3140-138-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3140-134-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/3140-139-0x0000000007850000-0x00000000078EC000-memory.dmp

Filesize
624KB

Download
memory/3140-135-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/3140-136-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/3140-137-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3296-351-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3296-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3304-304-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3304-585-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3840-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3840-176-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3840-170-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3864-372-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3928-522-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3928-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3928-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3928-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3972-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3972-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4156-590-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4156-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4376-349-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4412-183-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-180-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4412-188-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4412-191-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4412-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4568-571-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4568-282-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4628-233-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4628-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4752-280-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4880-156-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4880-395-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4880-158-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4880-164-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download