blustealer | 20ee2801106d4ff80f2b5147544e837a941240cc5b54d4fe026bc16c07c1e516

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request for Quotation.exe
Size

1.5MB
MD5

67683d83541b578498d12ddc5828260e
SHA1

679904b6c6101f399811885b42e98c4c8c564e6e
SHA256

9a3e3d21954d44054b67a726ecc1c6e54a231f4accc013fa91d0830ccf134680
SHA512

fb3080919598e0bedaa3b429e86f498bbbfcfb257a9c92dc9f6c197e2da9bd17328cc762bd97e7cbb770f0d6f1e8c8c05107a59f6204ce8ebc5ad4996e8e709b
SSDEEP

24576:sLOOmjfJ7uGyhgAzbOQ31ubRVTkK09CDg2bCaUwFDyfCTdNuuVIF/gwqb+:sG17uGmPOQ3oNVTkhC/bCaUwpy2wuV32

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1608	alg.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
1208	fxssvc.exe
3300	elevation_service.exe
392	elevation_service.exe
4012	maintenanceservice.exe
3448	msdtc.exe
2200	OSE.EXE
5008	PerceptionSimulationService.exe
3436	perfhost.exe
2484	locator.exe
3948	SensorDataService.exe
3880	snmptrap.exe
5116	spectrum.exe
3784	ssh-agent.exe
4404	TieringEngineService.exe
2972	AgentService.exe
4392	vds.exe
4764	vssvc.exe
4540	wbengine.exe
4276	WmiApSrv.exe
3516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\locator.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ee358aac4600f4c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Request for Quotation.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Request for Quotation.exe
File opened for modification	C:\Windows\System32\vds.exe	Request for Quotation.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 636 set thread context of 2800	636	Request for Quotation.exe	91
PID 2800 set thread context of 1864	2800	Request for Quotation.exe	120

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Request for Quotation.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Request for Quotation.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Request for Quotation.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Request for Quotation.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Request for Quotation.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Request for Quotation.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000070be3cc7288d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037ea19cd7288d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a89b51cc7288d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011941cd27288d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a32320ce7288d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008672d4cf7288d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba245bcc7288d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000193209cd7288d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	89	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
636	Request for Quotation.exe
636	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe
2800	Request for Quotation.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	Request for Quotation.exe
Token: SeTakeOwnershipPrivilege	2800	Request for Quotation.exe
Token: SeAuditPrivilege	1208	fxssvc.exe
Token: SeRestorePrivilege	4404	TieringEngineService.exe
Token: SeManageVolumePrivilege	4404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2972	AgentService.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	4540	wbengine.exe
Token: SeRestorePrivilege	4540	wbengine.exe
Token: SeSecurityPrivilege	4540	wbengine.exe
Token: 33	3516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeDebugPrivilege	2800	Request for Quotation.exe
Token: SeDebugPrivilege	2800	Request for Quotation.exe
Token: SeDebugPrivilege	2800	Request for Quotation.exe
Token: SeDebugPrivilege	2800	Request for Quotation.exe
Token: SeDebugPrivilege	2800	Request for Quotation.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	Request for Quotation.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4260	636	Request for Quotation.exe	90
PID 636 wrote to memory of 4260	636	Request for Quotation.exe	90
PID 636 wrote to memory of 4260	636	Request for Quotation.exe	90
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 636 wrote to memory of 2800	636	Request for Quotation.exe	91
PID 3516 wrote to memory of 4732	3516	SearchIndexer.exe	118
PID 3516 wrote to memory of 4732	3516	SearchIndexer.exe	118
PID 3516 wrote to memory of 4848	3516	SearchIndexer.exe	119
PID 3516 wrote to memory of 4848	3516	SearchIndexer.exe	119
PID 2800 wrote to memory of 1864	2800	Request for Quotation.exe	120
PID 2800 wrote to memory of 1864	2800	Request for Quotation.exe	120
PID 2800 wrote to memory of 1864	2800	Request for Quotation.exe	120
PID 2800 wrote to memory of 1864	2800	Request for Quotation.exe	120
PID 2800 wrote to memory of 1864	2800	Request for Quotation.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  PID:4260
- C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3448

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5ee234bad032e7f8e6b17859d215887b

SHA1
3d94e7e6f3aedbdc1af0798977ab4fc2d786b690

SHA256
3d46771af3c7e2377b23961ae1bb53c8e8e831ef417f4028c51be469b1cd3cbe

SHA512
5760796bb636dee817bfd940163afde3a778352a065b68b7571b4d9d442427d5d6f23627bf896ecd3e5d495fad829ada14d2a80d52edf509d64dd6ec7d0411be

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a0fa31162b9e9c36ae12bf025dfd4107

SHA1
a36e5b1f42b0d55e3f9894341b39cff8b339c596

SHA256
50b80d6d93e01ff0c7c6bd9af269f1a0a87a81a9e74380813d5630a952da0c30

SHA512
1b057e64ea9753b473a85464e090ab9b7da9c1de3b1af06cb1cbc87a047cdcabb6bdb53cdf82b2ef8b7581a3d375231a0d234e0a302e15a293168da568e001cb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
833349f50a638c6c7ae7f0e546950c95

SHA1
0f902b3e6bfd11efbd6fc857bbfd268955abadb8

SHA256
165139ebf1fcef1dd3d7d694abc7c79431b64c0f529a0ec3499a56c7a806df08

SHA512
3bc2faa8bb65230870cc83424bafe74c10f7929d4675068943368ba62ebe4eaabe153eab9c719cc5952d7ab84b67cb4ce4e1c5b068477438b8d9c8c19c1fe017

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3f271f840310ac3ae75e11afef2d64ae

SHA1
ba5779ec6fb2691cd941dad83c92db0bcd80b1ce

SHA256
f114b671bde60225d8a33a6ecc7497d73c11e92a7e287c14d8ac73e74d144756

SHA512
aecf5d499dccb8ece0d1f2bfd36a3b4b46ce6d7c80214a5b5757dd00102e2168b4cf90632bb78a7d3de121c640238fe6476e11b661a27fc0aa2355276966eae6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5dc34f3a5ef5adf6889482ae45cf7329

SHA1
77d9c1f668ee74e588066e56d4cd32d1d43438b0

SHA256
2c6439adc6f1f0936a9e97e64b79661dbf0d610bc27542b457185ffb7e30664d

SHA512
42d6e2655807634348081f679d0e01a989f60a3b1bdce2f92cfc6d86ffed02e793de9718f66b72fbe2450d949076b07265b2001eac9949d417efa9dffd819f2c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f784cfb9c62c365c6fb161220dfb6f8b

SHA1
eb52d1747508a7fdc8d683d57d77c5c066788ee0

SHA256
ac12c5b616c1e8b31008aa887b1e522de531f486bb6d47a4670578ca3687d97f

SHA512
abb70a94449e2dc047bf3dbbe4271109614d0e38492e71f46fe6a497e689f78e2960fe0563c552d9f9f8b1091fdb7cf64f64a99c39fe407b2586809bce5e13d2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
243ff80e794b6dcc61e1d5780183b55c

SHA1
82266b9e7b0f98fecac79f77687ccb63610745ae

SHA256
aacf5aff151cdffeaf3fac5b039c796f5160908fb49b08cc6aa5c1c751420ec2

SHA512
d76d1ba86b8d05e826fc1e45ddd32ffee47c287dba7901cb0fe6c284f0aad372fd2eb41701f2bb86f7d22bf9e3178af52d138cbe2947ad34f6ef89e6075e6ba6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1fcaebcd34fe0842e3aad9c540fb9b21

SHA1
16d098d3f49fa20743d8bdb0e235e023890807fa

SHA256
d504f5c12af2c610fe4222dafe9dac7a2e28ab57d37c578f0e8c94e794536566

SHA512
2a6138c9c3895e0cfb59d9ec91a278fa4144a67676e1386704149cd7b34d425944a110fffe27081684f57cd37d5766913a691046258c6a0430ec74d4dcde9396

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b1f0c8b64b1b32a9067e5b82b426457c

SHA1
cc78b14c5b8bb4bda0dd6a7a1d8ede2c3b962a4f

SHA256
f28619338e90c6b2e40423e34a168e4521291d5bb657624824428b56a6cbfdb6

SHA512
a8f9c3c99f979900d931676384b3b831f6b1ca00b9a0a30eacdec329ec067d154d74f708648e56fd24cd4be41b6e0c3c0a6275c1dba6d6d2dee5846aff5c1473

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
87cbf7c34eb45fd9533f119c38583183

SHA1
eeb37ba0abb332fed97c7574ced6a123fa267268

SHA256
3e67aa5380193a9e99c608dc221e0ecd5340965d86ce993d3842c5342cc3a17c

SHA512
44790a22a9c2256c1630007ddd2e9c22cd3ac5bb344859b39394542806355a931af62e22953f5b28108a1977c86d03d2739bc74a8bddf2e4184af8ae9f796498

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
87cbf7c34eb45fd9533f119c38583183

SHA1
eeb37ba0abb332fed97c7574ced6a123fa267268

SHA256
3e67aa5380193a9e99c608dc221e0ecd5340965d86ce993d3842c5342cc3a17c

SHA512
44790a22a9c2256c1630007ddd2e9c22cd3ac5bb344859b39394542806355a931af62e22953f5b28108a1977c86d03d2739bc74a8bddf2e4184af8ae9f796498

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bb6ab40cb26d0b41e1f54e2472abdfdc

SHA1
d1620bb2d3bad72abb9d662372e03f31709df857

SHA256
8029cc1090b7eabcf7be83936e34fdc8f46d677904b6bcc47b4a0a4f2aa1e792

SHA512
f86e8e4b7e00542aa5f5c55526e8641164c0c3974ce51bb938bc9365e249fa1ac1c2d0295d7dc4125c254dc99d7823a3b3eb8343a4162fe706fbe49dffa73ed3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b3bc59b267a1c65f78379f4fbcb07458

SHA1
3c8f7530019a983daaf97240f061f3dcc0a259b1

SHA256
82bda3ff06f31fe792e82875cf902a05e4aad5ff42c02ee5fc55ab3da86b5821

SHA512
3c0bdaeeb5b7f69d359b405674a5bafe1305a2ad4958d8868183ec1196ee0e4e84b73eb4b99f38e93003b4ec823e85814e41762b601dfc5a909bb36e7b9c3e86

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f6348d53839035e9908b9ede7842682c

SHA1
364834a9c2e7e6b535ee1cb1579f00c569aea5fd

SHA256
978b427ad26833865f20b4eca49978fc95b14baadff675fc820e93f63609cd20

SHA512
505ab1fc5c03857c341133995ba1b871f07728da327d848c82eb323034f3df27270511c5ad57db3e2520edfa63d32eb046d5e2352b7bfd251e5d21c5bc32f4d3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bced5f87c52bbc4787bc402a006e0659

SHA1
b9cab60324485e7b7c7536e03aa97291a2cc6693

SHA256
8c0136ca4ca07371a9318a354c48b529660bdf1bba912e0019b4ee071cedd998

SHA512
f981a3496c33acbe171c04bca5eec46bf21061286e2b760a07d0b84af056437c067d87e755daaba08f38452c51b788ea56a860bcfbabb5011e859e42d213105e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9be69674d3f9cd55aa216032e62c8141

SHA1
389ba373f8e8a549fc67601e79b77ca062ef1dfb

SHA256
b7763d7c509dbc80c5419d5d679622183d31d7a3174890894c30b4d791fd5562

SHA512
b46dcb4fb51cdfdde867adf248fc394e41b64bd456de3f88063b3b0593a438841ea7cd1a1e08e1850bada48ba4a34fbb0505e819926dd8417808069a14c56f8b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
adb7771417f373d1f9947766484c7417

SHA1
75d8593648f4b439f2774c3ab4508bf1badf671b

SHA256
3305708b939511dd1a444acde352ab733014d3552b1294e6a82cd0977b78671c

SHA512
35defb708c5b2b3efd7b37cfea297a9d19a303f7941cfab6ff1d52665a715633d7ce52e4c19d75ca987321e4868465113ea51153182538da32a7bb02ddebaba9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
83ce3d760b861c7b18619807e234e65e

SHA1
69d2fbcb0d3b98b1efda4ec4610ce51649e50e85

SHA256
d29b48394f83a0c67f299d5990d151415899aefe68f811d5f4e75e748e1e8724

SHA512
dfd6c64f43f48a74c817cb82be0385a6277e14b207b34fa972e8c238e8ad52f1eb694d2cc9f79a201fcc1f5487d89056c9ada142df5f423f29aada4c804cf974

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
57dbe477c0e38ae5492ec086d612b94d

SHA1
bf164f1c9b02a6948e2d79cdf08f413787546b45

SHA256
82fe50d90a77fd99606bee5b3d93711d0190dc38ca1316621730e2037ccb882a

SHA512
8357b58f9ac351f80c5efb149356a21c926bf9832bec32751ac4c6d4c7b8dd7966a925a654d6a107375a603cd71b93667d4fbee4c47b991f50aa4d41a00beecc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
81035bb21f6fa9b44227e7ca5a01a1e0

SHA1
1b60ba2b154fe383b4b5445630a73ce4541efc77

SHA256
67cdce6e9ff5e8bbe05acdb1318790c9339dd47250ea18ee14783fcbeb574f2b

SHA512
c590b49ed5c12f06950bc5320baa3142677013ffebf521319ac56b45af3523d0da45bb518eeb692eb8d1c70b39ffe19d208ee100d3007b0f63909a63cef0e484

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b874e8eb3209e243e3701bb690e01b9

SHA1
b9a016368987afe1b60fccb56ebaab2b334b6a17

SHA256
0d53bd59537daca284922f0610520c790bca0a4ebfee1abea02643a19b725038

SHA512
76be30408db99ef447c01a655b43786efea09e827620bab3d54d1d183b32eab15187e542343003f183b9a4e3e4fe8a7d850aa109a25f543d0d8a2edac969c73b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ed0a29fac353a3d78aae72fede8b9b45

SHA1
ba92b2647d04d3f94502b68d8925c14ed3d6ffba

SHA256
b8057dbcd92276803a7077fe5982f487f42d0f41feb30d31272e953789bf9613

SHA512
f2fb35f8d69e9b616e9249f2046671353fc454eb24abe39e711e0cd9f081479569729931ed30752cc111aaee97cb0839fd2c98e9dc3df7fd62aec344fed153ec

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be2b3a5d29f8b085c2a858f59292d866

SHA1
c242d63fa8da9a49c9ab121f4d66ebfc7987c3c4

SHA256
651bd036e6ddd9194087281c4c4cff84b8ac746dcc4b0242eeeb439527bc1b79

SHA512
4f325abc7dafc7625797191b0c760fcfb26aea226c4c95641af66bf8727c0cdfdb53f83769f70e359a94728f46e73b432fb991240788aa07b75641d19a9e6fbb

Download Submit
memory/392-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/392-380-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/392-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/392-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/636-137-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/636-139-0x0000000007100000-0x000000000719C000-memory.dmp

Filesize
624KB

Download
memory/636-134-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/636-133-0x0000000000560000-0x00000000006DC000-memory.dmp

Filesize
1.5MB

Download
memory/636-135-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/636-136-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/636-138-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1208-180-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1208-190-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1208-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1208-188-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1208-185-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1608-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1608-157-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1608-163-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1864-584-0x0000000000730000-0x0000000000796000-memory.dmp

Filesize
408KB

Download
memory/2200-263-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2484-282-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2484-447-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2672-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2672-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2672-183-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2800-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2800-144-0x0000000002E20000-0x0000000002E86000-memory.dmp

Filesize
408KB

Download
memory/2800-149-0x0000000002E20000-0x0000000002E86000-memory.dmp

Filesize
408KB

Download
memory/2800-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2800-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2972-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2972-353-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3300-195-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3300-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3300-202-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3300-365-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3436-279-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3448-241-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3448-231-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3516-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3516-576-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3784-332-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3880-317-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3948-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4012-217-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4012-223-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4012-226-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4012-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4276-567-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4276-403-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4392-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4392-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-351-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4540-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4764-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4764-382-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4848-649-0x00000209BAB20000-0x00000209BAB30000-memory.dmp

Filesize
64KB

Download
memory/4848-650-0x00000209BAB30000-0x00000209BAB40000-memory.dmp

Filesize
64KB

Download
memory/4848-667-0x00000209BAB30000-0x00000209BAB32000-memory.dmp

Filesize
8KB

Download
memory/4848-734-0x00000209BAB20000-0x00000209BAB30000-memory.dmp

Filesize
64KB

Download
memory/4848-735-0x00000209BAB30000-0x00000209BAB40000-memory.dmp

Filesize
64KB

Download
memory/4848-736-0x00000209BAB30000-0x00000209BAB40000-memory.dmp

Filesize
64KB

Download
memory/5008-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5008-434-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5116-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download