blustealer | 90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.5MB
MD5

e2b30c0c90faeeb878ed21be152d2dc1
SHA1

b64e8bbd7d23f9585a7ff9b24a61a7ab119f1769
SHA256

90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f
SHA512

7126633aeaeaa91f08d5c0dce6129bfb7501287cad6ac106f1c64c2ab0cb010d3b870680047ea3e9dffdb3bfccab2a9d2a11f8057dd302dfaf140b34022bd74f
SSDEEP

24576:PnQ3GQdfKrh2G8uraReOgX1yFQ+5irxTCQJ5xvCwUXZMnKfJIxzN5b2K:P9QdIuWed+sKK+CQ5CwMZMnx0

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3912	alg.exe
1648	DiagnosticsHub.StandardCollector.Service.exe
4452	fxssvc.exe
748	elevation_service.exe
560	elevation_service.exe
4244	maintenanceservice.exe
4632	msdtc.exe
4480	OSE.EXE
4112	PerceptionSimulationService.exe
2504	perfhost.exe
3008	locator.exe
2208	SensorDataService.exe
2808	snmptrap.exe
3532	spectrum.exe
3196	ssh-agent.exe
4216	TieringEngineService.exe
4440	AgentService.exe
1172	vds.exe
4196	vssvc.exe
4404	wbengine.exe
4928	WmiApSrv.exe
4892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e977198ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 2392	4180	Quote 1345 rev.3.exe	85
PID 2392 set thread context of 4568	2392	Quote 1345 rev.3.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Quote 1345 rev.3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7f85569937fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8c9f764937fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e91dd64937fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055348c67937fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ba22e65937fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af261c67937fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b16cb66937fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5708767937fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe
2392	Quote 1345 rev.3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2392	Quote 1345 rev.3.exe
Token: SeAuditPrivilege	4452	fxssvc.exe
Token: SeRestorePrivilege	4216	TieringEngineService.exe
Token: SeManageVolumePrivilege	4216	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4440	AgentService.exe
Token: SeBackupPrivilege	4196	vssvc.exe
Token: SeRestorePrivilege	4196	vssvc.exe
Token: SeAuditPrivilege	4196	vssvc.exe
Token: SeBackupPrivilege	4404	wbengine.exe
Token: SeRestorePrivilege	4404	wbengine.exe
Token: SeSecurityPrivilege	4404	wbengine.exe
Token: 33	4892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeDebugPrivilege	2392	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	2392	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	2392	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	2392	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	2392	Quote 1345 rev.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 4180 wrote to memory of 2392	4180	Quote 1345 rev.3.exe	85
PID 2392 wrote to memory of 4568	2392	Quote 1345 rev.3.exe	91
PID 2392 wrote to memory of 4568	2392	Quote 1345 rev.3.exe	91
PID 2392 wrote to memory of 4568	2392	Quote 1345 rev.3.exe	91
PID 2392 wrote to memory of 4568	2392	Quote 1345 rev.3.exe	91
PID 2392 wrote to memory of 4568	2392	Quote 1345 rev.3.exe	91
PID 4892 wrote to memory of 4772	4892	SearchIndexer.exe	113
PID 4892 wrote to memory of 4772	4892	SearchIndexer.exe	113
PID 4892 wrote to memory of 4760	4892	SearchIndexer.exe	116
PID 4892 wrote to memory of 4760	4892	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4632

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4772
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
39609731a0c841c385f40b10031e0c54

SHA1
d457c8a392b68908ec42287e6cbe7a7f2260b213

SHA256
0fb3b61498631c5929f8057c3b22a240cee078c8ded440869330e64a387f20fc

SHA512
17eac62d507fd9b04087346d32476da096e7ba7d3ecdf482097db61a111e8874a9a68a9ab5e8ddd86853458a20aff28206bd0a3751b90afccf4498b21d1f4cf4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4366df1bb087432bdf1b37f0c8d367c2

SHA1
2cef9de8fe4c75fe0ca7af8a3cecfe938535b15d

SHA256
62a4ce9ac51547574a27c9113591e491e3a130a04e1d81b180989f33ead59dc4

SHA512
e22ff13f553e9baaa88c9885ca5aed0f2a18016425a840115a4a8be70871dfcc9ee537f33c158f29591e3914e1f222dceb0723301063ebbe7c6be996fd1158d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
422167a32d8bdfb6e967776d608a3a82

SHA1
584c90cc5e06ec0270bddddf466965f767c93f56

SHA256
cab06814fe637627986f3061c9ce42ed410ac6e92faa9efdc8b105cdd4c8c1e3

SHA512
4138bf9357dc7d2b16e6501391f32305f1d0e23ccfa13cb179f4aee41c4c11bdd614ce686b504864957532f0b53bc6e354e77a4b945076c751dba5674cf4bd9a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
039b9e1056af5027f3e585ebbd7f8613

SHA1
d423f0361422774405b0af2ac2486bf450d4c2b6

SHA256
5cbded02c67c74bfe84e16cae516767deca6efa8f06a47c32d3669422a1a5081

SHA512
e1ff968443983e86f48dd4e4b945b022b4bd38881925e1420eb5f929acdafcbcfc7b3cb53de16a201c61f97e20b652d00db7e48826b2a27df434315e3f56b6a4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9abe3c33eeee2cd89150defb6819dc83

SHA1
8eebb79707b29b5037d199adf244bfa4c66e7487

SHA256
b21e885460c8212fd11a98be990af01abefc727fd1d0f12df68d2aa9cb3346de

SHA512
c0cd6aac11920c769a521eb644f56db14200a25d0093857d6745ef95e1c9d9b989e95d0f03136f945b194a2de1655a5601879198f290dc40118073d9d4294005

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b9cb8b485155eafb728fd3f9bd056f3a

SHA1
af7eff2b243a0a26d55aaf764fa0c80a116cef1e

SHA256
d9c8839bf99872d9face666e250adab11c3535f87987d08ae02c258a0f3d0585

SHA512
11281e83d402d055a7da919e1e26b8e44f558cd0a36f562f2125bf946b271dd4c633ba7ec71f1eeaeb74a3547e62bdb66b2922491c65e849893df6df6d6050e4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
989a223104bf9ce71384f92ebcedfeaa

SHA1
efe8f76ebf8f8066beb31d3cb0705413dc31ed42

SHA256
ab8c12eb057349a293945e5ede0af65a07026fbe840359294d9167c295553df1

SHA512
537851aaa98d9dcb7ec1bd76475e305eb811b66f87c00444be8bc3f9537a32d6b18ffd75e71f1781787837f7227eabae994407d95fe78c6f73bcc8be780fbb27

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bce31c6e3f240560392a843ddb19b6df

SHA1
665404a7a364edd042be273e292787a27d30314b

SHA256
b281088ed2dcd8e705ba26a23c05529d80f01cc8bb7bad2ce103f7e9970798eb

SHA512
4344933d7204b7df3683bd3c4f969e712ebcffd296536d1205d0c0d5f7eae7271363236fabb0c88d1ab845a5025a73ade1df5e2193f848e63f8a94834c607a2d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ed339c482c46a12b94bec23705c6c480

SHA1
582a0a0aee734c756f94ff4b804ec6c2e48972db

SHA256
eaff8d4bcb0ccca6305621e0783be6a39430923d363a683b9249406f5d3c8f21

SHA512
06beeda5ccdcb52403c11c2003d06caf3d34a3fe451cacb37ed67e7b9d8e6534cb285ef48faf7165b3165dc8e68f764b1f77da194a609433cd0b058858ebec10

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
24b46b2670ef6e9340c84a06dbab0f90

SHA1
a4ad68790a70a8ea0df7d4b853cf93f424835715

SHA256
855357fa17604f97d7cdf3b5dec8a322357aa6cbc012e9de5cf7ec99b3c9be17

SHA512
7314c8849c7f3a578d3bb500b77bc8432f69f6821fbbd68116ba888a52bcebd602557ee7dcc61c40a4e15b559fa609c3544020eac865762165e220593f5dfedd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
24b46b2670ef6e9340c84a06dbab0f90

SHA1
a4ad68790a70a8ea0df7d4b853cf93f424835715

SHA256
855357fa17604f97d7cdf3b5dec8a322357aa6cbc012e9de5cf7ec99b3c9be17

SHA512
7314c8849c7f3a578d3bb500b77bc8432f69f6821fbbd68116ba888a52bcebd602557ee7dcc61c40a4e15b559fa609c3544020eac865762165e220593f5dfedd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f570f79caa470d50925b83e0313430db

SHA1
84272cdec46f4d687de1620e5a222e25f689c76e

SHA256
5508abd13e28ba96d9d4b432e7420590ccecd6e0e2c7b6d9882ccdff32f9fe08

SHA512
9f930f99aa3694158cc68ebda17ed4cc98b89c7de5b24fd8295f8b018bd108224fbb90182b5dff6e93859e23a32ddf61668697a49ac642afaaebeadd4788c5bc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0724e841296c3d34a2757243fa90ce72

SHA1
7dcc874e041f10bde2ba6eff2be07c861815e3d3

SHA256
3630b3e33254f493c81253f6672275610e0eba84a7f4d3bfdc182cb25ed97a5a

SHA512
bde58a7d368d6f719e17e375268940c24f3b0b51edca7f83d398c8fc6d71fa8eea2607f3d9d8dffe2ab3096e55419e4248e3d3b84c421f0fadcecd16310136ff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e30b60847d885534e2cf5cca4c845dc7

SHA1
30974ca37bc5ee67b3ae6df614fff82ce7e4904b

SHA256
594df272b8bcbdf42c0135bdd70ec24782bb6a1cd53cf1e23815a4441f632ce5

SHA512
01649f1a753f84149d6328f65e071197e88263cb6cb02808af9035f328504db8204a71760dcb05647acd2e6b6b2432d3175124099a8eb75485e0d2df2ecc0be9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b00fbe7e141d65a2c0e42e2daf562475

SHA1
d492f70a12002735d3eaacb7a762ccb80c68e00e

SHA256
7f58c61e29d612c8a07337163b4ea79c68609d75c03d1297cd976439f517c8fa

SHA512
310c6a6db514076f615e6b015b628422f81457789f64c040976945c0555a5b40ed8cca7d9b8e3f72bcc3c67a7209eac540a4d1fe773df5f19595593e098757c9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d79b21aa4cd8f84d68402baab977bdb6

SHA1
c19cb1eae1a426a47166668c739356face3669b6

SHA256
08a6860d4786228df7dba3df43f4da965dc627e6d61c1a3436a0db1c49f5044a

SHA512
4ff400690324e2af7b169c5c7435d203678d86be86a0320737bed4a2d8d08dd28d15de7f37011ae58fd1139eb0bec98bcfa32a295e0d12c0745d71a9b5c1cbf0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0646baf5edd6082e088abfaf69637048

SHA1
3e85ce9385edf7726010e476caf992600848d741

SHA256
7e323d9fd5e24daa8fa7c3e9aed9e2e2b76110ea68b9dc9974889d8b6fdca0f5

SHA512
db96b6766f4103cdf260c6906f1ccd9bef0d2b6acf390644fb49af9627703bf07a6a697cd71b1343defa2d393d661c34c54ceb7c9386750b8c950d84f8430982

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
baf03c7d3cdfb9558d6e3f3618cde4c2

SHA1
d5a3eb46054c13cb33e9694f1b8e616fd9b1cd02

SHA256
ab0dbd291dbc3c577c0004f77d6a392d68e4e3e41672c0156723349959f29ee6

SHA512
086f70bbc560e5e17f473be3faff78b2e719ae040b30c10e4c740e6266099e759e9aaedf093d5b6a55cdd3f72ed238721709114033b4970582950d6b21619d9f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8a5e17a3aa6fb4e93202802f44ad690f

SHA1
6ed12114197f67d04b83c304a10d14343f02ac56

SHA256
45269b1b1c8e1251d490d8e3fbf4586bb8e73f35ab4e52dcc2057784051633cb

SHA512
339d8479c61f42e05c38afd31f52ec23ec77067736d5e68c0f56d0edbdad6838dbf10b453c311ff57c2007f5efe66f935df4d4f9569eff9003d8de8ffece87c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fa5030924d2325d92b3602fa5eb28ee5

SHA1
e06d58f465bca4824ac7b9c6c3583236fad56b17

SHA256
740881f8dd097dd88a8bb8069c0ef28eaa68e50dc66e925bb270e6dbbd6aae1a

SHA512
d099216cf64be3bceb1d0607979723998021aec48b1c15a56d868ba676df0a4c2deee91170f32f31c996a1cd826c126b2d426fc3245880e16fd132015b6cad51

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
47565170c4b8fcc830784fab143c6a61

SHA1
8f1772b3584a357985140d753fcd32511cbc5f1c

SHA256
2231b9e9645335263c223123dd139265d86b82fe8a2e112ce97d532594935d5e

SHA512
bf9fb5f29469cc51832abd72b33da97c173445993e41ce0d2dce21b7ac34eafb9adb65728749f9266e90eaeea8718cdd2cf066059912ac403d61510777c839a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b3a2a19f530e2b24907b2722d50a1f6f

SHA1
b87d022d3f40eccb463674bc788b69422038b8c3

SHA256
619c6b0832e7b37740d641f3629a4db8a9056feaa23ce1b13550b5cf1bc59026

SHA512
91a3f50f49b969e8311aec3494918ee1904421cdf11bab53cae548dd14247ba78265e890e0e2f5703b4b9bd2066364026494b1a5d3cab52a0889b509f943434e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ac360aebeb06e0ee73cc1cb962f16aaf

SHA1
a2d6bb4d3479925028542e832db92b4a76f757b1

SHA256
875404705e651c2e52a6ff3128ef90cdff3b365363da681798cab736ab1ef82b

SHA512
b5d38efea0422ac44d1b7aa61c04887fc97d741fbddbf7c3c8fe6ca7ff4402aa9194b449ac68e857d50f3f94a30fcd7e49f04fb59ddcdb20331daad2f99f0a85

Download Submit
memory/560-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/560-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/560-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/560-551-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/748-472-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/748-201-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/748-198-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/748-192-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1172-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1648-188-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1648-170-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1648-176-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2208-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2392-358-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2392-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2392-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2392-150-0x0000000003290000-0x00000000032F6000-memory.dmp

Filesize
408KB

Download
memory/2392-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2392-145-0x0000000003290000-0x00000000032F6000-memory.dmp

Filesize
408KB

Download
memory/2504-288-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2808-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3008-289-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3196-360-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3532-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-587-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3912-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3912-163-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/3912-157-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/4112-287-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4180-139-0x0000000008580000-0x000000000861C000-memory.dmp

Filesize
624KB

Download
memory/4180-138-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4180-134-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/4180-133-0x0000000000BF0000-0x0000000000D74000-memory.dmp

Filesize
1.5MB

Download
memory/4180-135-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/4180-136-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/4180-137-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4196-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4216-361-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4244-224-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4244-217-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4244-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4244-227-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4404-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4440-357-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4452-180-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4452-206-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4452-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4452-186-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4452-203-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4480-286-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4568-202-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/4632-233-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4632-242-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4760-689-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-688-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-764-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-763-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-665-0x0000023B10990000-0x0000023B109A0000-memory.dmp

Filesize
64KB

Download
memory/4760-666-0x0000023B109A0000-0x0000023B109A1000-memory.dmp

Filesize
4KB

Download
memory/4760-667-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-668-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-669-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-686-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-687-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-762-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-761-0x0000023B10B30000-0x0000023B10B40000-memory.dmp

Filesize
64KB

Download
memory/4760-706-0x0000023B10B30000-0x0000023B10B32000-memory.dmp

Filesize
8KB

Download
memory/4760-756-0x0000023B109A0000-0x0000023B109A1000-memory.dmp

Filesize
4KB

Download
memory/4760-757-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-758-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-759-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4760-760-0x0000023B109C0000-0x0000023B109D0000-memory.dmp

Filesize
64KB

Download
memory/4892-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4892-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4928-406-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4928-602-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download