blustealer | f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2

Analysis

max time kernel
160s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT_copy.exe
Size

1.6MB
MD5

3acff0b9068df07116870bf461f4f7c1
SHA1

fb7c0e6fcee327e8ed755e8f1c5199f35a3c4723
SHA256

f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2
SHA512

0bf707bc83a739e6ed63a56b76323db9c59fd6a3bfb05c760adc77cf918efddf1d9d4769bc14fc5846e0c1d836e3cefc8169778d8c0182e20a0a368e80c6494d
SSDEEP

49152:zxy+4OponS7iO7PYPhR/vNv1YWsWXLbZG8T0Zh591z:MKpoq57+/tztXLbZJGT

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
952	alg.exe
1512	DiagnosticsHub.StandardCollector.Service.exe
3268	fxssvc.exe
1908	elevation_service.exe
4000	elevation_service.exe
5040	maintenanceservice.exe
5116	msdtc.exe
4932	OSE.EXE
3436	PerceptionSimulationService.exe
1916	perfhost.exe
3856	locator.exe
4556	SensorDataService.exe
2172	snmptrap.exe
1096	spectrum.exe
3020	ssh-agent.exe
4388	TieringEngineService.exe
228	AgentService.exe
1516	vds.exe
3192	vssvc.exe
4880	wbengine.exe
1360	WmiApSrv.exe
3932	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\locator.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\vds.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\spectrum.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\AgentService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\vssvc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\wbengine.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\alg.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e9c866adc0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	TT_copy.exe
File opened for modification	C:\Windows\System32\msdtc.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\msiexec.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	TT_copy.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	TT_copy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 984 set thread context of 1892	984	TT_copy.exe	93
PID 1892 set thread context of 4676	1892	TT_copy.exe	120

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	TT_copy.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	TT_copy.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	TT_copy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	TT_copy.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	TT_copy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	TT_copy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	TT_copy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	TT_copy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	TT_copy.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	TT_copy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	TT_copy.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c03a81fc697cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dd710f7697cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a38bfb697cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad02dfd3697cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf9b45fc697cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005379fdf9697cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a99c26fc697cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd2930fc697cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c01ccfb697cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcdbc4fb697cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe
1892	TT_copy.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1892	TT_copy.exe
Token: SeAuditPrivilege	3268	fxssvc.exe
Token: SeRestorePrivilege	4388	TieringEngineService.exe
Token: SeManageVolumePrivilege	4388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	228	AgentService.exe
Token: SeBackupPrivilege	3192	vssvc.exe
Token: SeRestorePrivilege	3192	vssvc.exe
Token: SeAuditPrivilege	3192	vssvc.exe
Token: SeBackupPrivilege	4880	wbengine.exe
Token: SeRestorePrivilege	4880	wbengine.exe
Token: SeSecurityPrivilege	4880	wbengine.exe
Token: 33	3932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeDebugPrivilege	1892	TT_copy.exe
Token: SeDebugPrivilege	1892	TT_copy.exe
Token: SeDebugPrivilege	1892	TT_copy.exe
Token: SeDebugPrivilege	1892	TT_copy.exe
Token: SeDebugPrivilege	1892	TT_copy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	TT_copy.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 984 wrote to memory of 1892	984	TT_copy.exe	93
PID 1892 wrote to memory of 4676	1892	TT_copy.exe	120
PID 1892 wrote to memory of 4676	1892	TT_copy.exe	120
PID 1892 wrote to memory of 4676	1892	TT_copy.exe	120
PID 1892 wrote to memory of 4676	1892	TT_copy.exe	120
PID 1892 wrote to memory of 4676	1892	TT_copy.exe	120
PID 3932 wrote to memory of 2812	3932	SearchIndexer.exe	121
PID 3932 wrote to memory of 2812	3932	SearchIndexer.exe	121
PID 3932 wrote to memory of 4432	3932	SearchIndexer.exe	122
PID 3932 wrote to memory of 4432	3932	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
"C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\TT_copy.exe
  "C:\Users\Admin\AppData\Local\Temp\TT_copy.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4676

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b953ef003ec22ea1cfd5ffde11e94afb

SHA1
962c5c3f630ee03e2277ad168ce9a3efad26f0e3

SHA256
5957648b05cbfe0c7f932e0c4d0ae7b37d8e8f7b7c085b1964309b0211e19c61

SHA512
0cb5612cfdb6c90cbeb4bdde041f043d148a179c182fc5f3250985c192ce03264cee7a03fd081109820ac073676d60d7be74cb86611e794b1bb2f4b01fac65f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6f78135fa79c8cfff401f443581c89fc

SHA1
59cd9a544114e047887e41fa2fe923099783116e

SHA256
22fd3e0bffe892f3f971d9f347205bfb846df33a02b7a8d3fab0db3354abf505

SHA512
9f7b974020a16a34855466d6ae51f96b941f1592bffb5dd70a01ca01954a287e34b9c324748e967ee7ab6c659bed3526d1764c0f878db87654b7affacfc7dec6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7feeb68b033fd768af17362878dfd4a9

SHA1
cad536b46748205de91d95770cf36008a2bdbb43

SHA256
a392eb2fd9452aaec70eb3a4ce1373e20e6054220300f9785a41bbe2877ee83d

SHA512
2d8b3a1446ee228295d44ca10f6893c1b9612d54094ba3f425f89b5296e7c0b8bb03ceb999e6e7f7fc2deeff0138e02ef73f775aaf946e003d067f19c3ac3e1b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
bc3250227cac239bb0c3c4bf057cda08

SHA1
a0ed873877ca19b27f573fbc3f3a13ce5298769b

SHA256
32e0eb75c166de6e0b694b0517c668fd870e87a2183abd723148d195d2ff980e

SHA512
9e85393b065bcfe6de9c5aa96f7f083f35a654fe227a117f065ec2a644e80d8086940266dd187716dd4a8406757ab0ab694c2a680e86860d077dff697610ef1e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
82a08c66646f061143e0054c7737f1bb

SHA1
7d1fcfa11f993c34d0db91e01c3ef5e616dc46d3

SHA256
9cd9b4d5ddbbe46088251e41d3dadd5845670af9bf8e17d0de49e700089f4e0d

SHA512
5c79c5f82de60c14542e71b69dc434b532c2c67c27b135eb512acc96a0a3caee357907e40952fda0fc18600973f92dc759d9dcbc4ca17ea5282cc30371718d68

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
efeea8bbf9b7e1ccf7245cd60a4ecd64

SHA1
c58c627e80ad16f3411cc8498a9cb13a4174c08d

SHA256
e91d795853158b8a8962ee3f03d247ebac292ffc8cac02f96898aa01f946bd4a

SHA512
7f5a04d40e5c45386aa1c7efa19077c6e4d1306d5f84be503df5a0c0c4035328974a55dfc7138d4da2353133e10509bcdcd26d307c5d9984750a0a1f2641aac3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2b6785b2a1481512f603643cef277ef8

SHA1
a390dcc98607745883ae4fb692350f1d3edfc3bc

SHA256
d60b00fcc99adcce5815eea36a268a875834e187c8bb978f09f28500666cdc8a

SHA512
90c0431007de2011fde94473fededee9a9fa2cf640b81a6f3de6dc4702e3dd96a483d8d88977b6158878a7c2be9aa7ed8b8e24aff24a5d23cc10769bbbecfbfb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8cff0cd570661ee67e77b780a1a782a

SHA1
41cd169ff406780ee43a4b172f0f22c42750d344

SHA256
a4b16abbfec0d077b0045d3c8bd6bd0af4dcb51fbe34afc8dad229d41ccc1a31

SHA512
c23cbe653a78d8f439905c75ed38632b067b78a146260d84700920cf08f2f1f6a000955b02e906d58f83e386357f32ae3dbfa4d9658f5270a0828e8611b11f39

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d18f3dab16d5cbf282196e36ee9d6b1e

SHA1
8641e397584e9f431140c3c6a44877d7b8a3b28f

SHA256
55fafc86baa88ea746bf40255c3a25923e454ab808a82dfad6a5ae1b894f1cfd

SHA512
1f2e4bb74e4ba43a9a4181ee178faa9ebc6b9e75221b24bb5b6a48e7f67528a79f62265d03831c5f08e3f1c47cc737ff5b5c7721d05761040d7492bc6a81cd97

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
41c1f938cacddeec12610298aa7cc1e0

SHA1
3bb9190836d9421a3486763d3bde1a0d280598b5

SHA256
beab4594b3dce20da5124f5855bb8eaacd48da21c2a35c03fdc08887b99bf242

SHA512
1cfec62a68a3a87edf5388193dfde03acad39e8ec9aacd3fc9619c717b62f3fa957f9d4f7fbe52854aa6eaa071d8593c468f89d6275b3ae23515cea073af25d0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
41c1f938cacddeec12610298aa7cc1e0

SHA1
3bb9190836d9421a3486763d3bde1a0d280598b5

SHA256
beab4594b3dce20da5124f5855bb8eaacd48da21c2a35c03fdc08887b99bf242

SHA512
1cfec62a68a3a87edf5388193dfde03acad39e8ec9aacd3fc9619c717b62f3fa957f9d4f7fbe52854aa6eaa071d8593c468f89d6275b3ae23515cea073af25d0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
90023a2842153cac0c83fd9cc5adce79

SHA1
a8d7fab7af6b13994075cff25670f2eb7a63dc15

SHA256
28fff1b1e892382626563c1be0f058f8d8a3b2c8f5d9e9efec6796d27dca258b

SHA512
2da72b0d7c33131a1a1389b2817936e2c610e9764bc46411fb7c094578a97b0c29749468feb2ff4543399e882e77e1f07c1cea86f71bfffe8fa6e2cd934890ca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c185c3a09ad85ff2597b22e82350a87c

SHA1
28eb402e0177962640ad75e7cf50d771d89dc2ea

SHA256
c3c44abb26a61ef09864ee0ed29630c3f0c8eaf25c9862f6b0628fb61688c1dc

SHA512
a3ced4a5d2aee604be0ea5c6aa069ad27d76cb5384148e57d6cc3bed8b4581bbc3e83bc656dfaed462f04955f257bccf1f711abfcecf819da3620522d3eb9b3f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4497dd1499e538b660d84a5faf172869

SHA1
5ddba3b4d2524c860c61103bd49e9e930044bf6f

SHA256
9c88b27fa853789f2778e3aebf753c33128bc74d911ba26ca45e3398b1eb6cfc

SHA512
b58f46dbe4f1ce8d21871ff38050c07b18337ab4aa0a1743d6e1b9f0747c7b271df3ae8ceb4e9fe0398c7e4bba4ed97279ef9cf242a314488ea4de8d182b4d19

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
af8bfe6e3311859e7243ae2dee829809

SHA1
4f0223cbd4bf13cdefdf4480dc56daa19d274f3f

SHA256
805137ef510e9ad1319a40cde9977614432529e09f0135ba8b0f3fd87b820cef

SHA512
e9da07008e9710b4cd5d938185f57d9b93bc6895215cd6a65ae7be37f8cb05787c25a569a44bf863de2bf8315a7c5df8a2273e2c00dd2cfd38d75528ff59181a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
85a0b99302e7b2259b832ca99f8d4a8f

SHA1
c69d8cb8b2ce5e4c65494a316a123ef1bdd13542

SHA256
daf172787031a5626a6274f3e6ff906bb36c27cc72b68808a3cb7a7626d2861c

SHA512
e2a65cf026d3b88fe801da8f2b77979abc08e7f76b8d4bc67ffb9cfd545f8d4b6deedfaddeb38a817f2f7ad92ea0da22dd25e4c4d72f1ae57df9374ae0bfef60

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ef5dcab966d0716d79c22bc69abfb1fb

SHA1
90a1eb42afbd75e2bd9ea0d789727f50d176a3da

SHA256
912d723991d4efd5f913ea70f2e05d86583e49480569f16c23bfed3f2b831559

SHA512
3a58a63e8ba5ed3c60c494ce50c2b6415fdb2e5a9bcd1b6f3bc347a36ac539e21db875df64ae52d1d49c2c480b0d785810f9d0284d63dcbb3aa2566c113dcd5c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e2a5fd25ecaccc8ebce3da23a5e9f227

SHA1
0df3ad478723580b9bf93071be1e72d957ed7255

SHA256
5ce7be3d2f97b0cdeed4cf07886f7fbce077ac34d6d6cdf4e84375a19d69268a

SHA512
dc752d7ac7909ef6920d1e16500fae09cbd9f7a58e4e61a108e5559ea47dc0af6b8724dcc69d276828591f273f4a33ab2df7c235c45a32cca8a3b7b89f3300a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a6c39b696859397e7c9079c23e5afa80

SHA1
9bb8e811ca1eacaa80e7607a80d71b62bb0ae345

SHA256
1331657eec09765d589b52284fbfde5b741ec0acd6a294dad11df37529610fd2

SHA512
f8b0203a395b5833ec932b62f93815420eba68bf40e4e2dfee5fdf72a0492cc946572f4c77dbb0bf5b709c10051f9d78d309a49af70378036b946d080da8f2ee

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0dde5b450d5fb7afcf85b5d20e13d0f7

SHA1
cc4c057d0f859e14b1ae48551d215075a04e1a90

SHA256
b97df4197c62caad8de642cf46bb5f1ae66a8e75a60ddf0e2ae1681a09ff2330

SHA512
1bbeb480abe5bda0b964d6d645ccbfcecfe8dbf454e28fcc90ab4d469f66e0bb62912af3dcfd6badcbd499b28b196ef8281f09f01f84fe3eda904e7db0d611ec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b0291a90d9c87f71e960214b9c9e39c7

SHA1
25b7bc8ce47f8fc4bf41e41e45d5f432172c951b

SHA256
694283820a28e050e540351779c328f67008de6eb0b401c7238858f099b451cd

SHA512
b41f5861e9875b04bdfb71933156f049b85b8654d35151974c878a517bd99586b57b93da269dca736a6d0fb132029ba3dd40047982aa2a4c093308769862d414

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7fc138a2b6251f384d0229d56fd1075c

SHA1
2adccb0c2921528501246801a653ef3088d54fb3

SHA256
e9da682fb3dcf29eac62dbb44c3499f305cb994f1a90ca018fa1cfae27180db7

SHA512
ea3e6b157ce59c38bc19d0a2c70ab1b674992331e6bd483606ad6da8a861811cf69ed5bc92ce4f5158649b2f7e3dcb149f464471a21ced940ade324bd01fb4aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
233a120ec3e74087e2814f36079a2d09

SHA1
dbb31b12274d17017acaafc2745fa23dc9e3dd6e

SHA256
ac8178082fcd5a1c19cf4e34afc083e7e738ea22dcd8aca16d8e74571f31f2f2

SHA512
77a86fd6dcbbbf85541385aa5c067ed87cce8e12a873966a9aeb3b271f2956aaa7b1082150d1fbcec2b1eba078aa121d0bb676021c35ae810fa82505e1afde0c

Download Submit
memory/228-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/228-356-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/952-163-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/952-318-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/952-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/952-165-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/984-138-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/984-137-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/984-134-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/984-135-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/984-139-0x0000000007B30000-0x0000000007BCC000-memory.dmp

Filesize
624KB

Download
memory/984-136-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/984-133-0x0000000000A60000-0x0000000000C0C000-memory.dmp

Filesize
1.7MB

Download
memory/1096-550-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1096-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1360-611-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1360-408-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1512-176-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1512-170-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1512-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1516-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1516-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1892-144-0x0000000003010000-0x0000000003076000-memory.dmp

Filesize
408KB

Download
memory/1892-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1892-149-0x0000000003010000-0x0000000003076000-memory.dmp

Filesize
408KB

Download
memory/1892-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1892-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1892-296-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1908-200-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1908-371-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1908-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1908-212-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1916-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2172-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3020-344-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3192-387-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3192-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3268-341-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3268-187-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3268-181-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3268-192-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3268-190-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3436-264-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3856-280-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3856-498-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3932-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3932-424-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-372-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4000-204-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4000-210-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4000-213-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-571-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4388-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4432-659-0x000002A1FA9E0000-0x000002A1FA9F0000-memory.dmp

Filesize
64KB

Download
memory/4432-658-0x000002A1FA9E0000-0x000002A1FA9F0000-memory.dmp

Filesize
64KB

Download
memory/4432-657-0x000002A1FA9D0000-0x000002A1FA9E0000-memory.dmp

Filesize
64KB

Download
memory/4432-656-0x000002A1FA9C0000-0x000002A1FA9D0000-memory.dmp

Filesize
64KB

Download
memory/4556-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4556-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-420-0x0000000001230000-0x0000000001296000-memory.dmp

Filesize
408KB

Download
memory/4880-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4932-245-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4932-421-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5040-225-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5040-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5040-222-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5040-216-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5116-384-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5116-230-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5116-231-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download