blustealer | 295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ21032023.exe
Size

1.5MB
MD5

26d46c2c07d584f1a04280f47182e909
SHA1

381ec91ba5c4206be19a10a1cb0d2328a9385d71
SHA256

295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186
SHA512

3cd2e063ed27a84cfa2513e76a77f6ed8a7987ff42f1e5e9ab9400491b1cfc0b407945ca09ab1a839807ac850a44a0521aa5fa2f9a90c9bd2df1ee0eefc3c8c0
SSDEEP

24576:D1fkORzjCc1R7CIPVQ/NcnBZuSAszPeo28pW4NiocXtWLezho6OrHRYfDz:Dabc7nyNgqSHzPj3zDYt8EhuWf

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1528	alg.exe
3548	DiagnosticsHub.StandardCollector.Service.exe
3356	fxssvc.exe
1840	elevation_service.exe
4640	elevation_service.exe
2220	maintenanceservice.exe
4880	msdtc.exe
4664	OSE.EXE
1636	PerceptionSimulationService.exe
3364	perfhost.exe
4452	locator.exe
3740	SensorDataService.exe
4092	snmptrap.exe
1996	spectrum.exe
4112	ssh-agent.exe
3440	TieringEngineService.exe
3624	AgentService.exe
1060	vds.exe
2932	vssvc.exe
4528	wbengine.exe
3732	WmiApSrv.exe
3664	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	RFQ21032023.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\locator.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	RFQ21032023.exe
File opened for modification	C:\Windows\System32\vds.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	RFQ21032023.exe
File opened for modification	C:\Windows\System32\alg.exe	RFQ21032023.exe
File opened for modification	C:\Windows\System32\msdtc.exe	RFQ21032023.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\spectrum.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\AgentService.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\wbengine.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8cf6338aea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	RFQ21032023.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\vssvc.exe	RFQ21032023.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	RFQ21032023.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 1876	4932	RFQ21032023.exe	85
PID 1876 set thread context of 1972	1876	RFQ21032023.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	RFQ21032023.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	RFQ21032023.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	RFQ21032023.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	RFQ21032023.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7dcefaab77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d74a7abb77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c3dfacb77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000858ee1aab77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075fe72abb77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb7ab2acb77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000550be3abb77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000321f6abb77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000842c1dabb77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac1fd7abb77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	83	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe
1876	RFQ21032023.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1876	RFQ21032023.exe
Token: SeAuditPrivilege	3356	fxssvc.exe
Token: SeRestorePrivilege	3440	TieringEngineService.exe
Token: SeManageVolumePrivilege	3440	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3624	AgentService.exe
Token: SeBackupPrivilege	2932	vssvc.exe
Token: SeRestorePrivilege	2932	vssvc.exe
Token: SeAuditPrivilege	2932	vssvc.exe
Token: SeBackupPrivilege	4528	wbengine.exe
Token: SeRestorePrivilege	4528	wbengine.exe
Token: SeSecurityPrivilege	4528	wbengine.exe
Token: 33	3664	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3664	SearchIndexer.exe
Token: SeDebugPrivilege	1876	RFQ21032023.exe
Token: SeDebugPrivilege	1876	RFQ21032023.exe
Token: SeDebugPrivilege	1876	RFQ21032023.exe
Token: SeDebugPrivilege	1876	RFQ21032023.exe
Token: SeDebugPrivilege	1876	RFQ21032023.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1876	RFQ21032023.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 4932 wrote to memory of 1876	4932	RFQ21032023.exe	85
PID 1876 wrote to memory of 1972	1876	RFQ21032023.exe	91
PID 1876 wrote to memory of 1972	1876	RFQ21032023.exe	91
PID 1876 wrote to memory of 1972	1876	RFQ21032023.exe	91
PID 1876 wrote to memory of 1972	1876	RFQ21032023.exe	91
PID 1876 wrote to memory of 1972	1876	RFQ21032023.exe	91
PID 3664 wrote to memory of 3696	3664	SearchIndexer.exe	117
PID 3664 wrote to memory of 3696	3664	SearchIndexer.exe	117
PID 3664 wrote to memory of 3980	3664	SearchIndexer.exe	118
PID 3664 wrote to memory of 3980	3664	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\RFQ21032023.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ21032023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\RFQ21032023.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ21032023.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:696

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4880

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fc241a0d7e4a11ad465a82faa956b2e9

SHA1
9b04e592785497a10862b286e4337d3e19237c84

SHA256
3bfa48445cf30f8b45b24d1ca8370d4be4ab86de65b91188f27fb439f13254dc

SHA512
d24c4c6ea0d32dec04f83611f19e9e94fdf84fce3a7fdc3f620d6a300d0905c1492b4c777522bad1cab81e3a39d59587625d46102963171f337f226e7e70a469

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f9fc68239b3ba980f1e1ae5f44d42004

SHA1
0cd3d41a2d889fec46119b484a8cb10bac1b0a7a

SHA256
b5bd99999c652a37d38a245dd27889a2b8b32a5cf59ee46124b018d6a25bcf65

SHA512
50b9841295aa3a5306cf6c6ec1ee2e143d91cf85dbb1d0e8cf779be8793cbd5856f2b1db9ba7f9ee5f688c1b0971cdc4cf93959d5adeb81c433a8805fecf599f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5ff37dc9a43b3bbc806cf260eeb0d3dd

SHA1
142e6f4cd10d95cbda3bdd20ac7ef58b9ec6be0b

SHA256
cfe26cc7416771eab3783e5c72c7a068ec532afc2805bc89a13e6de84e6f9349

SHA512
3add0cc0dd93b130702fe495e96e212602cf181a1eb9e9878d3e2f38dca4caa7623518248aaf881a42aedef22b19411065e2d5e796868cf60fd10c9e0a72bebc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
66684322898d90007e07970ed291c6d1

SHA1
8896dc7354ed2d0f92d3c1eeb41d591e8da0eda8

SHA256
36ac18afd8b9ae7b7cfa8a7f550afafd39f920d4b6a24c9499ec76367bf299fe

SHA512
97098a5fbf4dc8150a29447e45b97bead9d65641b11e50bf887065e189934024d73503f3496fc7874a128552cd817753087e54a22b2fcc097f7cac3a7f4edfea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0149e6ba23b3048b3e7c58bf15012f92

SHA1
f8e4d3c76c22942298062955a2ec3ee653eb8d90

SHA256
04690c7d9eec6301e04634b3b319d3fc15d4f52bbfeabce57134087b6c9eef57

SHA512
1e7546267cb46e310b2c65e11a2fb7e0c819ef6ef46335ae30a282948bccab6d27f67d746e68481faff6cc4e6956ffec89b43d456e8730a99541a2532b1ecee2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56a742c9ed12a0eeddb3e48eef59af45

SHA1
a607ca2ee6d46fa494f12dff1db7734c9b27ee67

SHA256
c4295f645563e827896e5705891e18834b5fe21f76478e7a66c9f1731004e759

SHA512
bfca913610db0af6470db3d281af254027273dd5b2686c96735ad4dc1876ce459459b37d8c7595455313a20a2b5df4c2627a251e04e476e416d9e73f5aac9602

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0b4b02ecfcb297d1713d7dbb01f98d3a

SHA1
9f7a5aabc292e501308a574f8962b998e3861b30

SHA256
8974a6ee30092da9506afdea1c69491931c0b4806ea96c83fbf3433fd5f412a7

SHA512
f030b387e9349a1f2e5902f90b285a17cc771553be77202add19db4ee484700b0804bcfaa3594c1864d9d0045bb93fc823dd2c0e4f218816c3184da61955fa77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e02fe33cdc43947152285ca466ab8f69

SHA1
edcca72a97cebce276881957c82e626cf454ac26

SHA256
8289d9e413567f16aa4bcf90ffe890e8c7fe01202c8a2f2874c4531fd1841209

SHA512
b869abe0fcf8ffb6b9a174a28283f63943408536204574f0d9111fe0a5489f6ed948033006b99d9f8b8735c5fa8450f6d7a9dc916537e609edc31f5b76c6be47

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ccf4e26b93dbc1fcfaa0554544118464

SHA1
564f9413dd0522765d46f3f3aaf5b628a5c506da

SHA256
4f6115be234b8d40de2993226d5082d8cb34833fcbb7eefbeca377b6d43e56ac

SHA512
fd486ac82d80c73575a1e6097ae8373200a8b3fa6545ac9702a6025d781b57fb3b10ef75c1bd61499248f3e10c06c78e6cb25ef43af053d629d079d23d49dbd1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8ff767bedda64e1a5ac37e1003434443

SHA1
42eabfb3b9e4744b7628af33232f64dd1e29327b

SHA256
3248878cd72fe2aa9acc2ab3e0551ddd60e274ddde8222cf03f737cfa4386c2f

SHA512
907e6eafd34229d2d9b71da7550cbccd3e2aa2cbcb2561ee2a80ebf1f5ec45a3ab9899de93fff5ac23485a665f7328e5f776978ebfbbb6363dcc9962adb8a991

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8ff767bedda64e1a5ac37e1003434443

SHA1
42eabfb3b9e4744b7628af33232f64dd1e29327b

SHA256
3248878cd72fe2aa9acc2ab3e0551ddd60e274ddde8222cf03f737cfa4386c2f

SHA512
907e6eafd34229d2d9b71da7550cbccd3e2aa2cbcb2561ee2a80ebf1f5ec45a3ab9899de93fff5ac23485a665f7328e5f776978ebfbbb6363dcc9962adb8a991

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7295678ba0060ad643901447fe56ab1b

SHA1
3e27a4a6a67c401b34b56bb6d9de9c601d365673

SHA256
3bae9a5d48d5f5f397276c90165513a7443b079b3761eb5c4cb9aa801a98f13e

SHA512
49cdc6aa775f5184e08f47ba707a4794b7990ac652fb8ae426a69ff7a7f0b0895e3eab945ee350c46992a06b803b4a9adb82b146370b456c61d09f6bd7cc5f47

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dc63ca410a1985d3b6852be64d907e4a

SHA1
4bbde2cb0ff83f10fe218a338a512b4e432d43b6

SHA256
bfb8b0cd94656dc001b82804bd48f2f767ae7967172802742e324f4581f83632

SHA512
d62d8b85145f050b94ea4da99893675ecd096c94db8d751fb1fe0fe525adb3bc532727f3400dbc3b6aa033bfa6b5d503ab4ef7e713eb442263248570762ba7ff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1149d1f8fc06108f243d77d801a60a82

SHA1
f0d8e0420c097b909fc61aee417ee96f5592defe

SHA256
5569b35c194ffe77a09d62d7f6ff5334c7ae66208425abb0d5c580added09a65

SHA512
b88e046093c92feb63e4c97c8c3d435b0a407c27a137a072abc7c81b6dbde971493758316b5f4b3a4583548b8649b1cb34bacda4b0292a989323cb160761dacc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
14eeca90e9a5a826f54343b8c3e01d8d

SHA1
cf7fa85db0b8016cb7edeb8037f5bc04ff937bbd

SHA256
35d8cd5a4f7350dec8cef22d725a1c9258e510d4b135c657786501a38d5cae5a

SHA512
fad7b158f152d374e1bb597dba3f5e4089915ab7b72511c5d89e325606df933c9849c03157154c6ccb946e6ba185adf095ba14edd3eaafeee29318dc743640a0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ddf3b071f90cf5dc3e7131706fb36828

SHA1
77ecf65cbb2e3d2137aca3b9befb7449a3858144

SHA256
8e970bbc0fd07e1e2a3ede5fb8b77e95cfd74d871e1a56214fbb4c4d574f8fb0

SHA512
83260c44b88205efc07d0fb188f0bc90c69b71008b67c0bed087b811c6b1a0059eff5633623e820914b174bbc2bf40f4e0fc4edb0d208f86c2a8841c083bead8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
83fd76ff77b45d9b7f03adefbd127a34

SHA1
37616ceca85ea1d52d7cf0e388d023bbf575c163

SHA256
2f9c3af4c8f431eac6a9a663ecb65ba048a3751c70612ded0370d149d3a0fc36

SHA512
5bf8df8b939b68432c2a1120995dc37c10ca430b83f440581f2ebec768313e47859b8bf4e422ae83ee86d8a17116c3cf02cec8f05448162935a07ddc4492f7eb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f8dd779fa3acaf7e56cbb0c30ab9c4b8

SHA1
4e890f9da5f051385ea817f3b4cd47cbd91fdd2b

SHA256
05b528faf266807159ff4b839231145077f13a2400df0aba55382cb790acd63a

SHA512
eab6a751b5545a7baffd2b72b51bfe6d423696c68af34164962bded0ce48093b4dafad8991a67f85b165e61743e247ff241ba7443e295128393544042939b90b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
bedb367212ee48f6524d5a7228bd6ef5

SHA1
2d07b5bee05316e1735d09988b826d056fdb9169

SHA256
f96f45bc064abb276d9a70e6785ded3ad473e0a34317a973ec8e64cc7e6e1947

SHA512
8a5cdf31272dd8714886c1d1d926b7a4f19768254fbe6ae1466654767fed37313992913fed029dee90e2e1d8b7679cb8fd0a230133bbe9968bb5f2aea2e99623

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d3d322a7ce1ea40ef06fccf6b429ae84

SHA1
f652143cc6884d3700514c20d65137e9fcc1bce1

SHA256
7587cbfc7503dc8eaaac17212b696dd07fc3fefbb219c0bfba47837657caa859

SHA512
e7f71d906e08506966658bd956d83c53bb83306d101e5ad05bfbc73bac47b13df09b36b7a91193838ab85e51cdfaf09812a98e3f94cd0bcb594359e9d86cbac4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e049149171a0ec5d2d4fb32ea5ffe728

SHA1
cc9d48cfbaa887b443c6d75c17b7633a394eb59a

SHA256
9a27127f9e89d5b70c64f0584462fa86f5df3feaecb1451f0638ccafca3f8923

SHA512
37dabd98d714f136a114789db522ec3f0eebcc81e9698f86264d136956468b0d86003e6a0c3412d21d6707be0a9a62e2d13946c6176c1cd42502149e7205857b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
438c4b50e000f1ee18776a0c8fd094b2

SHA1
4bc9f95bbe920433b849807e68b948b94de76841

SHA256
0cdc3209b28e4994968ff679128032a0a49277803d32d8c38b3efc9a286dc395

SHA512
190baf31755bdaf385554edf1f0f7ffc02df7a8a8c105d5ac996528ebb65ed0f37b1cff0d8a6297aeb8f3c1c1c8c191696b4bd07988f18d68ec16495670379f3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7809f10f51b6bba19ba719e27208c3fd

SHA1
fec32510085b21dea6d660c5391cf3b94a93a9dc

SHA256
e1ea47c7613462aed1aca029246d49f996c76b00627e0788e489e3479d86f9fc

SHA512
5b8448babf0ca7d621d012c9fa4402e59252a1a72a349bc9c010308995ee8b7cf31ba8177bc07ede3d50d28820a1c2f59844ace516a6897fb46d9a4b8077ac90

Download Submit
memory/1060-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1528-157-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/1528-177-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1528-163-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/1636-270-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1840-191-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1840-198-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1840-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1840-468-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1876-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1876-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1876-458-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1876-144-0x00000000013D0000-0x0000000001436000-memory.dmp

Filesize
408KB

Download
memory/1876-149-0x00000000013D0000-0x0000000001436000-memory.dmp

Filesize
408KB

Download
memory/1876-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1972-205-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1972-197-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/1996-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1996-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2220-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2220-227-0x0000000002200000-0x0000000002260000-memory.dmp

Filesize
384KB

Download
memory/2220-218-0x0000000002200000-0x0000000002260000-memory.dmp

Filesize
384KB

Download
memory/2220-224-0x0000000002200000-0x0000000002260000-memory.dmp

Filesize
384KB

Download
memory/2932-385-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2932-584-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3356-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3356-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3356-200-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3364-272-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3364-526-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3440-359-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3548-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3548-169-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3548-175-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3624-356-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3664-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3664-407-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3732-406-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3732-586-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3740-532-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3740-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3980-654-0x000001CE11450000-0x000001CE11460000-memory.dmp

Filesize
64KB

Download
memory/3980-655-0x000001CE11450000-0x000001CE11451000-memory.dmp

Filesize
4KB

Download
memory/3980-649-0x000001CE11440000-0x000001CE11450000-memory.dmp

Filesize
64KB

Download
memory/4092-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4112-357-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4452-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4528-585-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4528-388-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4640-486-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4640-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4640-208-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4640-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4664-268-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4880-489-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4880-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4880-234-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4932-136-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/4932-137-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4932-138-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4932-139-0x0000000005CD0000-0x0000000005D6C000-memory.dmp

Filesize
624KB

Download
memory/4932-133-0x0000000000120000-0x000000000029A000-memory.dmp

Filesize
1.5MB

Download
memory/4932-134-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/4932-135-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download