blustealer | 374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quotation.exe
Size

1.4MB
MD5

235c2d00b691656b63a715eac1e7511b
SHA1

511e1e3646ad2ca0012709c56544ca9497b969e0
SHA256

374bd46f94cdf56eb2775ec23f0b70e8179541f348de2959a4a885b8f22af99c
SHA512

f0432f5f5668af790b8959a0cdd75236389cc0a3af2c033e04d92066373207d935f7a75261a0e46a9339fc8d083097555ea9a5c6f032310c54c4659dc7913ec3
SSDEEP

24576:AR8UY0b6vrCWFHojNYhS8vE1BiCJQwcGJVdOeyYZ3pnFchs1D3x3PWh:28emvrCmIjNYJv+BxHcGJy+3pnFcWpNP

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3572	alg.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
448	fxssvc.exe
1496	elevation_service.exe
4516	elevation_service.exe
1516	maintenanceservice.exe
4688	msdtc.exe
2236	OSE.EXE
1904	PerceptionSimulationService.exe
3156	perfhost.exe
1744	locator.exe
1604	SensorDataService.exe
4332	snmptrap.exe
2196	spectrum.exe
3868	ssh-agent.exe
3492	TieringEngineService.exe
3656	AgentService.exe
2356	vds.exe
2192	vssvc.exe
4928	wbengine.exe
5080	WmiApSrv.exe
1484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41be7372ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\vds.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\alg.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Request for Quotation.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4132 set thread context of 2400	4132	Request for Quotation.exe	93
PID 2400 set thread context of 4060	2400	Request for Quotation.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Request for Quotation.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Request for Quotation.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Request for Quotation.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000223a323c281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093bf3822c281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d7a3221c281d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000042a2723c281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d39a4d20c281d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081ede229c281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081f67122c281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a6ca62ac281d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000287df72ac281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010fc522ac281d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d9b122ac281d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4132	Request for Quotation.exe
4132	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe
2400	Request for Quotation.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	Request for Quotation.exe
Token: SeTakeOwnershipPrivilege	2400	Request for Quotation.exe
Token: SeAuditPrivilege	448	fxssvc.exe
Token: SeRestorePrivilege	3492	TieringEngineService.exe
Token: SeManageVolumePrivilege	3492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3656	AgentService.exe
Token: SeBackupPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	2192	vssvc.exe
Token: SeAuditPrivilege	2192	vssvc.exe
Token: SeBackupPrivilege	4928	wbengine.exe
Token: SeRestorePrivilege	4928	wbengine.exe
Token: SeSecurityPrivilege	4928	wbengine.exe
Token: 33	1484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1484	SearchIndexer.exe
Token: SeDebugPrivilege	2400	Request for Quotation.exe
Token: SeDebugPrivilege	2400	Request for Quotation.exe
Token: SeDebugPrivilege	2400	Request for Quotation.exe
Token: SeDebugPrivilege	2400	Request for Quotation.exe
Token: SeDebugPrivilege	2400	Request for Quotation.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2400	Request for Quotation.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4660	4132	Request for Quotation.exe	92
PID 4132 wrote to memory of 4660	4132	Request for Quotation.exe	92
PID 4132 wrote to memory of 4660	4132	Request for Quotation.exe	92
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 4132 wrote to memory of 2400	4132	Request for Quotation.exe	93
PID 2400 wrote to memory of 4060	2400	Request for Quotation.exe	116
PID 2400 wrote to memory of 4060	2400	Request for Quotation.exe	116
PID 2400 wrote to memory of 4060	2400	Request for Quotation.exe	116
PID 2400 wrote to memory of 4060	2400	Request for Quotation.exe	116
PID 2400 wrote to memory of 4060	2400	Request for Quotation.exe	116
PID 1484 wrote to memory of 2852	1484	SearchIndexer.exe	121
PID 1484 wrote to memory of 2852	1484	SearchIndexer.exe	121
PID 1484 wrote to memory of 744	1484	SearchIndexer.exe	122
PID 1484 wrote to memory of 744	1484	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1604

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2196

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1880

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9d187fdb3bdb95eaf02e620024cf579b

SHA1
9838514cce784f8fbb24731fc3c3296e79a4399a

SHA256
d884101f8f01fcb0fc0594471d6913f60f221f567dcaa252c4bdba1f6d0dae88

SHA512
5d08427e7b9824d55c3f38b32674e0ef6f0d2db02d75865340dbf7e7f00c323a2dbc1380f90ba2cd293667afd78a8a6d9a6f87811cda9a1cea031f989478869a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f8672b3673049304fbf19e242c8fd3ca

SHA1
fbf8878a74fae1a62120ceabbc7c420e26dbf2aa

SHA256
ed7f338362784a192bc890e1e24b070633b998309f2c21529c41d86bd541929b

SHA512
5dce1f6d0645ba501640e368fec1ea8c102de6ef6531368a52012743f30a84753d7f1a03799ce62aecbfb524824b5832652014e6dfbfb7ac0062b7a9f6713325

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
af8660cf6cdcbfb153d1ea669b393c73

SHA1
414da91f3d0f412bfc0693a8056d1f9131eac954

SHA256
ddd2cdbcb77610698c19c992e68266f7373e44227e5e240a4913ec1c61adc17b

SHA512
b5deb35513b368da9520fe51827af42141389da2c7f1f706309c3fad8b5f10358ab24cbb93a828ef2c16c05f07480122270b14d07f5e6338d53ab82126cd2fd7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
83021eeff52afe283a0ae3603cba9d91

SHA1
4c683753864b0a001df4c44ed7f97f456b19fb76

SHA256
ba7d880627df50b4b82415d5e0fca15cb73f91191ec0fc1f89b4af041e3f6d76

SHA512
9ddf134e364a9ae4f37b75900643012126b53adf4e9b877cea126d93855f19cf61e2c57d99df8554d5f63c6e7069943b450f60be150d2bc32c3c5a4fa610151a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f1de1cd691f44849949ede21aa0262d4

SHA1
fcab44cc959f32655eee0f8fd9bb0259612cd8bf

SHA256
e1051659c6aa0ca55ce6338d4fef8e3205e316de98bbda9eed1d3cb7abfddb0e

SHA512
a8ac91ba70d793e09070fc09e2b24f17ddcccbc657de490be32295cdc83c94eabe6725435d520958d6750a47900ad552fde6ce24abaaacecc179bdc0fc9d771b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
505d8e5162ef2a1f07f4337a0ee1c203

SHA1
0d91cd46b77976f4c8ab49f70624f645ecd122b6

SHA256
20d083465a893d040ac8fef97f8c077e9712b77ccf8092e31cb2e1de628d3830

SHA512
34628437019f125977c6076f33f8c3e66893e7e1c4dd6164d89cf8d956f2ffe702153c392c737dc5afb0c44a127af549f45cc9253d77ce9ea4f918d15c8e751f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
821c4b4d6a00f5cd50a5ca0e513420cc

SHA1
6cb6b92025afb1ccf32273bc33766e1cdb384360

SHA256
543bd900fe17cc0d8eeb337f91ceca3acf385cb905350f4458589677a5a2adc7

SHA512
dae8f3bb79f031d191f48cd2d1d0f286573e8dbc710aac7d8e17602ac3ebf11fed283419481c9b690b2bbb4a41111864acd17d2f2a891d1017632c75fb92b69e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9fd2d30be1e5aa6bb635cb6006f8cda8

SHA1
e73e32d48f6d953cb44d53d39700a26465deffd0

SHA256
6ebd77b18d621ecb6ed19821178802355756a6f7298c3de2c1c2e2a3d9df87f1

SHA512
c157dac3672a1825d2489d72758487d46912e6ab2d73445bdc96ad061d3fd95c939faaa1a65fae8e7712e2999dca6951a6b59b0844321195c50fb8f03f3133a0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f09269007e3320a1bff8ff2af407ab6f

SHA1
f5a511cc7250ea48105587d86596b21ff0c82fa6

SHA256
2b9d17a88b4307b03bddb111827f781b0308831f08981a3e169a62fef196cf2b

SHA512
cf47850d21e182a2f5bd546ac2028f7e0da53aaa21e90d628417f958371e0d0b5de2b975ac8034d0d0361b15a8309f0b18ed031d2260015be857c3ea0051f9e1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
07bad32fca37c8ace6d04158705f2750

SHA1
411e08343d22215c14440da2ac1585d33cfcfffa

SHA256
633c67d90329f5e3af3e89fd88d27eb62ffc050dd9762e1d7e42fcb69972321c

SHA512
b869cac3b15a29928e66f593af53e0f6425bead6e14c0fa9617ba30f9b48f4e964f82757d1e0432e1f072f5e2df4c1972f2dc67d8296f1e5d55017198e801955

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
07bad32fca37c8ace6d04158705f2750

SHA1
411e08343d22215c14440da2ac1585d33cfcfffa

SHA256
633c67d90329f5e3af3e89fd88d27eb62ffc050dd9762e1d7e42fcb69972321c

SHA512
b869cac3b15a29928e66f593af53e0f6425bead6e14c0fa9617ba30f9b48f4e964f82757d1e0432e1f072f5e2df4c1972f2dc67d8296f1e5d55017198e801955

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b8b3c2feb922f3f29a798a05fc896a2a

SHA1
b7b4b27ec2011e82530838a8db9eeb9f207c0477

SHA256
f97d4c775144759d5818e1d47d9c1911c3a4bc1a781e8bab2233a559b50da511

SHA512
9e738be436281d5828493384f2936ecf83cd9da0da9cf5bc2d929bc39e00cf7ad86adfe14e48137eaea3b7632f7d9bdc38791bd7e817cf9300b6eac04a0de1b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
39ec753b9a2054011737f8a2000b3de8

SHA1
f541900af05aa9b900e10fab16d596b520af1332

SHA256
7b798c4741e9d5a6bcfd92db4b01f076f08c6688e5c7e54272052ea642d0ce22

SHA512
535c123b41867f281437e209c1fac2cfbcc17caaa14b116f4cff034c46daf537076dd67b4db3426622d6c3cee9a47d145f1dd28d2975647bde7b2db9579e8774

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c9b3a4eea389e1bfd5f5fab06b5cf035

SHA1
db46d25b95592d6b57c466b35a32e203f1fa4fa4

SHA256
410e54cbe8b0c7c6a02b8c226bd18ccb29dec304af4a357a04611b58a72e43c3

SHA512
a3f413ab622bdb88f2ac7fb6e6a7b0cbdc07c1ad2014b257ebf34a028e47a2160f6a5e5ff18416a6e8e5528669718402c29a1486339c5fb3b9c80cfcdf640249

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4d5f9984eacaf4892213a18932283c62

SHA1
4500987fc880278394b4b8222d89620f73e59f2e

SHA256
80aeb4677e8a28277b9697e94efd03e2450e96ae6b3336d26213b1198e1af936

SHA512
02ee2a81132116e47d91bce10072545bd17cab0e16419a5356547e619851be466555d7594981b8600e3e4643051c1a7efcbfe3ab8b85bd1c0f52fea9e0c00af1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3d01378ce8cebb641c1e04583516e5fd

SHA1
754ebbf9e2a6d70c4103d630c050a19ace22ad81

SHA256
ed7ef41eaf939ff93e61c30d838a8d705a8d527b3b68aeece9ffb22102639378

SHA512
34fa858e0000474583c05bbcedb5f6706c7cc0f26a47f69c345bc196a160bfe032342dbb8431fd7b3c8023c7584069c3df269cd41acab4aac9c33a63ffacb4dc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e26503c68ddf4dff0ee5b20aa9a452f0

SHA1
d4dc273e44cce96984f7b3f8b5ec7e2c6640d161

SHA256
0139bb1996294e481eefe8915c97bf936d168d634c87e7a4dc1ba10baef13d90

SHA512
3b100c2fa40668e435ab80fb76e51bbfddd11bd505943792e4c5544678ba80518315cddb6882faec51286c80f5c2f47ab81830bd3da7d6b3980aad5165d95e6c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d043a31628b228aa56ca7339dba256de

SHA1
c0613d81980208773c76b124903fb1ead6d2bb34

SHA256
01aa82d766c227fb1d3f6117d9746f577c9b2e71b65cc46ec98f55c005cd57c9

SHA512
5b5e2b6ff26ffbb65ec8888ddcb006c48384e4f9bfcca119c1aefeb73bf266fe21398a9a76b87b0959925cc6efc1f1d79717f0e26e053926f827394eb931de22

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
81aa820c24afba489758f2b76d8e4480

SHA1
9d7ca6f776936322ac39466513a1c54ad02ed810

SHA256
c70fd9e4df2893fc16674233996a44189908b72de98117b5eafb67c4e3d6d884

SHA512
6e3c0add93231bef6f2e1e6f6e8a44973e758c7a3c88458d15e1ffc82b64e78c7f6eda73579a9ce81a69b3772eae5db6dfb097c3251ba58eda8eabf1b4a1f2d7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e18e691d9994b565e1c3a894538bf28b

SHA1
2bf6b1fda26ec631e93d8598201624a6e70b5fb6

SHA256
9889c0398524fbb8532ea5d1d818b0beba60107030ef7185591c852cd19738b3

SHA512
63a12162830db0059e20a6169f832480055a31f11673d5494feb098b376be5b4ace13b8210770fe8ed5d7d426f4c168fc5abd4f9c2292fd6cd76e977c5936e64

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
72b490229c7b3cd6e28bfd0155c0e83c

SHA1
1f300c9000f68b7b9bacc08255daaf90b5f00029

SHA256
07e57c3f8d8b9f847a57923cfc8de5bb0d92769faecc436e395783b110c8b3c7

SHA512
bba3e3f242e4f4b16ac87d3ea36f8b615a2cc2b9dcc2b98887a3a4044202f5a24bd7767bf0050c82aecb3e16259b831ebf61404b282b2c0d17b184e75dacc1cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fec4891a350c5a987824ecf0518f55c4

SHA1
949dc2f9a432b8ee0418f24b9a5d857bb8610dfa

SHA256
115370789257c6c4ec8075610c9fe92ea1adff733ede9b6961bb9af0d47e64fe

SHA512
2e310885265670c392d0ff575de96be979d44ef3ccfa148c512ad4ac94ccd5a8bf1bc54b114e4a5eb1c606f747349873448fdaf4eb9d3b0a7e3c172f4bf3fe31

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fde28d6ce3d12d74484b07d88e7cce8a

SHA1
74bf82e713af865ebdb34b4d9e88c7f5a9957636

SHA256
de4013b7c9ca1be1a68b12e2b3240660a71a60354a0962a7436fc8d55505bb99

SHA512
1f79f8836de2c3b3a6448c3a8bdb1293304278a33f22eca7873a8447fb55259c896e3b8f9871f5262057e75cd71cc6f770e20a1af069ad14fc0b3e6df83c8970

Download Submit
memory/448-188-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/448-197-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/448-182-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/448-194-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/744-707-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-706-0x00000181A9F00000-0x00000181A9F01000-memory.dmp

Filesize
4KB

Download
memory/744-667-0x00000181A9F00000-0x00000181A9F01000-memory.dmp

Filesize
4KB

Download
memory/744-684-0x00000181A9F00000-0x00000181A9F01000-memory.dmp

Filesize
4KB

Download
memory/744-701-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-702-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-703-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-614-0x00000181A9EF0000-0x00000181A9F00000-memory.dmp

Filesize
64KB

Download
memory/744-615-0x00000181A9F00000-0x00000181A9F01000-memory.dmp

Filesize
4KB

Download
memory/744-710-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-708-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/744-709-0x00000181AA340000-0x00000181AA350000-memory.dmp

Filesize
64KB

Download
memory/1484-467-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1484-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1496-406-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1496-202-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1496-201-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1496-192-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1516-224-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1516-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1516-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1516-219-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1516-216-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1604-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1744-298-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-276-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2192-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2192-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-583-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2196-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2236-253-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2236-526-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2356-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2400-165-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2400-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2400-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2400-145-0x00000000028F0000-0x0000000002956000-memory.dmp

Filesize
408KB

Download
memory/2400-150-0x00000000028F0000-0x0000000002956000-memory.dmp

Filesize
408KB

Download
memory/3156-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3492-359-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3572-167-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3572-157-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3572-163-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/3572-357-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3656-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3868-334-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4060-383-0x0000000000760000-0x00000000007C6000-memory.dmp

Filesize
408KB

Download
memory/4132-140-0x0000000008BE0000-0x0000000008C7C000-memory.dmp

Filesize
624KB

Download
memory/4132-133-0x0000000000B80000-0x0000000000CE2000-memory.dmp

Filesize
1.4MB

Download
memory/4132-134-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/4132-135-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/4132-136-0x0000000006110000-0x00000000062B6000-memory.dmp

Filesize
1.6MB

Download
memory/4132-137-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4132-138-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4132-139-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4304-177-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4304-171-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4304-180-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4332-318-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4516-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4516-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4516-466-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4688-497-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4688-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4688-233-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4928-407-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5080-640-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5080-409-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download