blustealer | e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI-12042023-02.exe
Size

1.4MB
MD5

00ec65f5667134941484ca7ef40ef167
SHA1

e2aa6f59e21c3d69fe09e036a0db32249739874a
SHA256

e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497
SHA512

d4f09ab5aa9fe5f5ea4429c6dba4e45d3021ffd512148df900bfdcfb3d91c28ce9cf7638f18e857fe913bffac573db70586d6261474813b4baadf4831bf949f9
SSDEEP

24576:X4Ze+gp1yI/aLxE5HY9qzZyQ9HHgefs+LbeFgEC/fGKhQ8mI5EKq:7G1E5HGqzMCg3geEXGk+K

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4564	alg.exe
2864	DiagnosticsHub.StandardCollector.Service.exe
2756	fxssvc.exe
5100	elevation_service.exe
4412	elevation_service.exe
3532	maintenanceservice.exe
4488	msdtc.exe
1888	OSE.EXE
652	PerceptionSimulationService.exe
3096	perfhost.exe
2748	locator.exe
4828	SensorDataService.exe
1224	snmptrap.exe
4808	spectrum.exe
3408	ssh-agent.exe
2936	TieringEngineService.exe
2824	AgentService.exe
2160	vds.exe
4444	vssvc.exe
3092	wbengine.exe
1456	WmiApSrv.exe
1208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee25bed050d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\vds.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\alg.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\locator.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 2384	1192	PI-12042023-02.exe	93
PID 2384 set thread context of 2536	2384	PI-12042023-02.exe	100

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	PI-12042023-02.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a19dbad4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a39f6ac4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000378623ad4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ad49ad4e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066b470ac4e8ad901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055ceadad4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	107	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1192	PI-12042023-02.exe
1192	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe
2384	PI-12042023-02.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	PI-12042023-02.exe
Token: SeTakeOwnershipPrivilege	2384	PI-12042023-02.exe
Token: SeAuditPrivilege	2756	fxssvc.exe
Token: SeRestorePrivilege	2936	TieringEngineService.exe
Token: SeManageVolumePrivilege	2936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2824	AgentService.exe
Token: SeBackupPrivilege	4444	vssvc.exe
Token: SeRestorePrivilege	4444	vssvc.exe
Token: SeAuditPrivilege	4444	vssvc.exe
Token: SeBackupPrivilege	3092	wbengine.exe
Token: SeRestorePrivilege	3092	wbengine.exe
Token: SeSecurityPrivilege	3092	wbengine.exe
Token: 33	1208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeDebugPrivilege	2384	PI-12042023-02.exe
Token: SeDebugPrivilege	2384	PI-12042023-02.exe
Token: SeDebugPrivilege	2384	PI-12042023-02.exe
Token: SeDebugPrivilege	2384	PI-12042023-02.exe
Token: SeDebugPrivilege	2384	PI-12042023-02.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	PI-12042023-02.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4728	1192	PI-12042023-02.exe	92
PID 1192 wrote to memory of 4728	1192	PI-12042023-02.exe	92
PID 1192 wrote to memory of 4728	1192	PI-12042023-02.exe	92
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 1192 wrote to memory of 2384	1192	PI-12042023-02.exe	93
PID 2384 wrote to memory of 2536	2384	PI-12042023-02.exe	100
PID 2384 wrote to memory of 2536	2384	PI-12042023-02.exe	100
PID 2384 wrote to memory of 2536	2384	PI-12042023-02.exe	100
PID 2384 wrote to memory of 2536	2384	PI-12042023-02.exe	100
PID 2384 wrote to memory of 2536	2384	PI-12042023-02.exe	100
PID 1208 wrote to memory of 4284	1208	SearchIndexer.exe	121
PID 1208 wrote to memory of 4284	1208	SearchIndexer.exe	121
PID 1208 wrote to memory of 3892	1208	SearchIndexer.exe	122
PID 1208 wrote to memory of 3892	1208	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
"C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2536

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4564

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3352

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4488

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
95d5aca1a0291e172e53ae1a2c1fe16e

SHA1
16e1bc38f5c0d86d7f782b3ad46843df3b99fe9f

SHA256
c25928ee83dc09f7aaea6dd16e1d09892570b4eb5820e4984e7acd5779829b9a

SHA512
81f7c8f2c10a75410335e7630ddb418791d5758fba51f3e93edd9c0f80017d26288b077542b1996b63d2b08e582141e0b475176e2f826451e5f155aa47776279

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
047a3cc16d05c04aa30f2322f4262076

SHA1
e1e61675063b0244cb1b601d9be72627c6d1e30e

SHA256
ffc91435f11a9591691db2345cbd06326f312071ec29dd34c99e3238fc57bb83

SHA512
31bb27abf514bb90b3dadf74117535cbc1cdd9e3b27855f211d71d4f3f9ba2d03e00af4a07bf093b0128436a161f582bd7752bbff4c37b622b4c03384b77cae1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
92bfa33a7505d141f074e67786506547

SHA1
5990c1312f2df0c787cc41e35ff6bca5492fe804

SHA256
a609b9cb54417dcf9ff72c480fed56fb8ddadfcf1a495888a895a5a02c8d4318

SHA512
eacea3c77477cdb707a41a789eefd83d86c150858126286843bbdc0f8264502863bb7e9ac266303103fedad1a97aad7ede9b072c3fad17f918cc41484187d3ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
79000d010c4086721c4eb952d4439ad3

SHA1
47fd371d631c53aefdeb10f1f06076773577f649

SHA256
e0150ba98a9d5c5d4f91a646cb28da2eae72e21c0da86f9547c73c141391acfb

SHA512
cd8d3bc78f55802e294d46f18dac64da6086c4711dff7990876c2882d3ad05d1ee0fa362d4871c9bc36df0c701c3eaa1fa6103a2466f8839259dd1af616992cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
dc8def472623c7fff78a9dc2e633b461

SHA1
7686dd4e16493f148c41ddbdf52f1161d434269a

SHA256
09f6a65f91840619153b9d84dc421c1fa606f10b8807d2eb93c89ebb4164d19a

SHA512
33e8574c48de6dc9ff32eafad177d5a72c9b573d0f41cd76950a0a357496008cd1f3a43b1ed99c5d765be5a212f08fdd99c42a41c046cf5ee6cedf7e7f6bd37a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4428e282a2876b1d99d61772e7c60c94

SHA1
a3aac7f705bbef11a3b21dd3897147d74af9572d

SHA256
22048e7cf61f3c6d050427f3dfb7bf8c0da709cb28b8a8d0f395863be29265aa

SHA512
96650d7299106a537f7cfd1b648da4269f5615b81f42a5d493a6dceac5e723978a8ee2323b642ce8c139ff604d62107e6cb73c3f93f1a42a59741840d0e87463

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1b22cf6a5d3ee6c420053e10336f4a48

SHA1
eab3d71ccd8fa6f14d1b22055d5cbf0ae69b2d58

SHA256
febb88756ae3c668c501ce2a1d10e22febc4b65209e40dcf5feaf130caa3b7e9

SHA512
811e4aa5d33e06ffa9077f28850e79a72c05eac9583952316709c4bf02c6e5abe471acc9f81beb16d01f7db711441ae5bb537d46139681910221ae8da821c162

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6dc04ef294154ca791ea0920f786ce1c

SHA1
1368d93df91e36fe1d5d5bb18b6ccbf8488ca01c

SHA256
1a178aa53a0d5849034f180c847f6cbdc3f6cda42ea3a8d950af80a08b3e9a24

SHA512
3329c3bb138054cb17e24433d441612ed9355cb889dc782dda45ed25151d965159d2947041e2e0cb3fb0ed4a72875091aa6ac4a23c08906f2234cfa63c42a2f1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
560fef8978bc25a15996c4123d7cfee0

SHA1
2232b9a7853b294188062839b3b8533af0d24303

SHA256
2981b8599eb564aebcfd9927b8b50adbea6b62df3b2f3b4ed668c742fedcee7d

SHA512
8df5079fed1f8f44ea38135048fb6b62728869e85a0ac186ac5a0ae91b612700c6b909f07d41bf863ad130c483680380bf35d23b04b901f73642ed7168eb1947

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e5ec4752066823eb2d1d631438acc0ea

SHA1
02dd36bf7b407686ab21a1fe32f66ee9ed86a2a7

SHA256
19d41586b0522bc28c778c44863c57c93a15ef9fabeef47004920f1db401fdd5

SHA512
cf7c0508c96e582d2c592e9049323bb70f91bf42a2477e7f0b91f051c15d489374d27f74384790f5f5679fee3bac90b3c7c5d0d4820ac367373b27fad47d4619

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e5ec4752066823eb2d1d631438acc0ea

SHA1
02dd36bf7b407686ab21a1fe32f66ee9ed86a2a7

SHA256
19d41586b0522bc28c778c44863c57c93a15ef9fabeef47004920f1db401fdd5

SHA512
cf7c0508c96e582d2c592e9049323bb70f91bf42a2477e7f0b91f051c15d489374d27f74384790f5f5679fee3bac90b3c7c5d0d4820ac367373b27fad47d4619

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
764e0e95806e4a4ee0723f845b070c19

SHA1
4ab808ff3d7d167db299ae7d95576e27d1be70fc

SHA256
8a5439ad0d0a72aa807100b403a2976563647c3680e6048ab2ba74911c074b3e

SHA512
e29f2309a4ed7ce9438f7fbae6345dfbf80f88c49f46145f74a69f1a1253d5559a79cdc4ec9908a2e33cf4340b813b657de15d784b5802758a08e8d53a26c3df

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b5b9c3f739faafb3028be79b9b4cfa42

SHA1
37ae9f54ded45b1d01d22688f0cdcc0ed1091613

SHA256
e0857d1d6c7377222bf4b551d8dc5c60a28df5a7dde08bb2fdd808d750872672

SHA512
b3e3cb771a036cd1e5a4a4736cb0aa5a37360157b4a72bf6cf542f7d7cdc9e36e6fd579befc108ed81a8bc3f415f2958da8e496e17c127d138ab487a20995611

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9b79d4c1fe1df0f29db33c4b74604ad8

SHA1
34915fcf98e43580f8ea37e10956dc1c18f8d6af

SHA256
f30d4e7392f54f61a9d1e601230f7f6c516010604d081dbf85201a439eaeaea6

SHA512
04054aaba1532a62e1d077e77d305bf27487af27bb083c713c85b5cf89d05f6aac0551d4b45ec7fe995385df55c58621c5aa7177114c2ee5b599e5f0b6bd01d0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5e2bd65d3405fdb9d641948beb79eea2

SHA1
81ec9bb33fdebe6da7af26545e4e9ee54fe221d1

SHA256
4e7486ed7463eccc7d791bf02ccf5d321e35d8527c560064471eddfe911a5ae4

SHA512
0a13b9cf5540a066595ba580b65bc5e7f7d0765fd7d7f824e55fe7772f8896f3d68d93ccdca9a6420b9805a8e98badfd868f787a431a0c1690502697277be3ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
26c8223e3d1fda1213249c3c9ce68c49

SHA1
32244be384b5ef536c711f532e34ed847861924b

SHA256
6bd61eb5d641db9915866eb08b6644041b9250749834984c4ccc41526bc9dab2

SHA512
ec905b1d1f1b41ca8cd7948a43bbfdab8d317ee96f889b9ef563b0f251a9c4af72d438023104b95fcd3e8990cc3ada569db0e7a97384a66a992d57890e790b05

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3bd9bbf551281a6878c9a2be64e7c6a0

SHA1
cbd6829e2fc4a15ba7666c28f11c7cae149b9fe2

SHA256
b0bdc804d4320abdf59f2cd54fb917dba500bb4f53564a10dfae7ae9034a80e9

SHA512
e79e3ce18bf37be9caade4e6cce04610eccb9a580b4b4a54b6034a946b18b34504fb83b4bcc69c6bce5857c0f8e92520fe9091b0de275fc76184a396bc084a37

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c6f3d79d331366b6d7a51bcf4f71abe3

SHA1
b3c0f8fe7bab394bbb39bce41046a101055e472b

SHA256
64ac8529b0dbd130690213a76853658ccedc49a5bd234b884a6c7f525af1cc54

SHA512
459781576049f65f5e9fcc2463dc67132b5801c1d71aa952e54e07cafad1cc4e9683cbe43241e3e01a9e1b36e9da27e1b5d68a0f94fe81dd453ce34234d3c284

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
60ec672dbc613fb5bbe48b08ddc7476d

SHA1
0738d85264d5daa3366003058da4a115c8195e2f

SHA256
1ee2ddf8adba617ba2049466006271ab4a51bc9f7332bcfece888d2856c6ba89

SHA512
70c3b92c7b75307672578f4aaee61e33eeefb52accddec56f92df4e740557256e72fdb7e476467dd721763664faf28d317983bdd01dd05f81edcc4844f693ab9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
69d899f23da693070632f4f2d3859900

SHA1
a992a817ac73969f92242de688712f1cecb098df

SHA256
ea57e700637804632f301d20dbac9767b241ca9ddebfcd1164d67d2a5121daed

SHA512
d807da3c23d85f297c24d7c48d74770146ee3ca92de462676236972a1bdef96b7ef6ef84669e16e4791e880d2bdac9a63ec11bcde6f1044a8635cff0d491e9e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4de0ceb4a382834fca659180ef9b3caa

SHA1
16fd4d7d0ffcfc657683b77d267610eb033c55ca

SHA256
6a5968c64f8286cfe37c14f49d45912f8e1e5b8c3a6434519f83b02137d1a2f4

SHA512
39c1796eea828df7e38e9b10fc0e5318a7dd5a087176091269045888a2bf61a44dbfa0eacc720edeaa5db363d0d7591d8ecdfefac0996e69f33a76f172177a83

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cc22490bd66c7c6495a4daec9cf51ac5

SHA1
09518a01c4b8981ee7fb8187805d03540d389ce4

SHA256
8c3c30fcf5364d15555b6c3dd2e2ce4f81a3e294e34e3f7cd755d2b953a1d1fe

SHA512
71c471fa51ac10fbd5f3850bae0c5d741e68b35b2ea8b428cc53aaf2c12b53afdfea51e3763df965ef0ba26d6fc62207ceda0c3d7df45016a3a51f80588d845e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
208eaa03ff7eec5f2c666ef81e489801

SHA1
0d7e6070bfc38a7d24f9cb24c4273fbb5ab665bc

SHA256
5c1125486c152f4f7a9acf8c4a629a9bb60d620d45d366f6c7c3c4df745a518b

SHA512
87a4c909158c2d4fd9853169e30bc6001db8418a6fb8b5d7e45dc7d74656635373915684cd72efcfad9bc0107f4703526ea19ddc91ea5ab6b8650d7d29bfa5fe

Download Submit
memory/652-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1192-135-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1192-136-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/1192-137-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1192-139-0x0000000008520000-0x00000000085BC000-memory.dmp

Filesize
624KB

Download
memory/1192-134-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/1192-133-0x00000000005D0000-0x0000000000744000-memory.dmp

Filesize
1.5MB

Download
memory/1192-138-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1208-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1224-332-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1456-593-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1456-452-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1888-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2160-364-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2160-477-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2384-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2384-144-0x0000000001220000-0x0000000001286000-memory.dmp

Filesize
408KB

Download
memory/2384-149-0x0000000001220000-0x0000000001286000-memory.dmp

Filesize
408KB

Download
memory/2384-362-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2384-157-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2536-207-0x0000000000C20000-0x0000000000C86000-memory.dmp

Filesize
408KB

Download
memory/2748-301-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2756-198-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2756-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2756-188-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2756-180-0x0000000000E40000-0x0000000000EA0000-memory.dmp

Filesize
384KB

Download
memory/2756-183-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2824-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-357-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2864-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/2864-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2936-355-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3092-394-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3092-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3096-299-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3408-334-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3532-219-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3532-225-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3532-228-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3532-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3892-856-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-701-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-702-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-700-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-699-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-698-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-667-0x0000017CE5FF0000-0x0000017CE5FF1000-memory.dmp

Filesize
4KB

Download
memory/3892-666-0x0000017CE5FE0000-0x0000017CE5FF0000-memory.dmp

Filesize
64KB

Download
memory/3892-710-0x0000017CE6010000-0x0000017CE6012000-memory.dmp

Filesize
8KB

Download
memory/3892-851-0x0000017CE5FF0000-0x0000017CE5FF1000-memory.dmp

Filesize
4KB

Download
memory/3892-854-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-855-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-857-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/3892-858-0x0000017CE6010000-0x0000017CE6020000-memory.dmp

Filesize
64KB

Download
memory/4412-209-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-365-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4412-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4444-530-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4444-386-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-233-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4488-237-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4488-385-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4564-156-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4564-363-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4564-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4564-164-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4808-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4808-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4828-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-366-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5100-192-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5100-200-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5100-211-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download