blustealer | 693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3704	alg.exe
3304	DiagnosticsHub.StandardCollector.Service.exe
2604	fxssvc.exe
4280	elevation_service.exe
2924	elevation_service.exe
3100	maintenanceservice.exe
648	msdtc.exe
2388	OSE.EXE
224	PerceptionSimulationService.exe
4480	perfhost.exe
3728	locator.exe
1660	SensorDataService.exe
3104	snmptrap.exe
1856	spectrum.exe
4852	ssh-agent.exe
1796	TieringEngineService.exe
4240	AgentService.exe
1460	vds.exe
664	vssvc.exe
2624	wbengine.exe
1136	WmiApSrv.exe
808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\68e7e391c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 4464	1888	Technical Spec.exe	96
PID 4464 set thread context of 4944	4464	Technical Spec.exe	123

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{12B41477-B896-4CE0-B721-49B4FD6AD28D}\chrome_installer.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Technical Spec.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Technical Spec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8790f395e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2c81d395e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014caf0355e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e166a395e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008902f4145e7fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000834a4385e7fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c73c395e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1888	Technical Spec.exe
1888	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe
4464	Technical Spec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	Technical Spec.exe
Token: SeTakeOwnershipPrivilege	4464	Technical Spec.exe
Token: SeAuditPrivilege	2604	fxssvc.exe
Token: SeRestorePrivilege	1796	TieringEngineService.exe
Token: SeManageVolumePrivilege	1796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4240	AgentService.exe
Token: SeBackupPrivilege	664	vssvc.exe
Token: SeRestorePrivilege	664	vssvc.exe
Token: SeAuditPrivilege	664	vssvc.exe
Token: SeBackupPrivilege	2624	wbengine.exe
Token: SeRestorePrivilege	2624	wbengine.exe
Token: SeSecurityPrivilege	2624	wbengine.exe
Token: 33	808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeDebugPrivilege	4464	Technical Spec.exe
Token: SeDebugPrivilege	4464	Technical Spec.exe
Token: SeDebugPrivilege	4464	Technical Spec.exe
Token: SeDebugPrivilege	4464	Technical Spec.exe
Token: SeDebugPrivilege	4464	Technical Spec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4464	Technical Spec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1892	1888	Technical Spec.exe	95
PID 1888 wrote to memory of 1892	1888	Technical Spec.exe	95
PID 1888 wrote to memory of 1892	1888	Technical Spec.exe	95
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 1888 wrote to memory of 4464	1888	Technical Spec.exe	96
PID 4464 wrote to memory of 4944	4464	Technical Spec.exe	123
PID 4464 wrote to memory of 4944	4464	Technical Spec.exe	123
PID 4464 wrote to memory of 4944	4464	Technical Spec.exe	123
PID 4464 wrote to memory of 4944	4464	Technical Spec.exe	123
PID 4464 wrote to memory of 4944	4464	Technical Spec.exe	123
PID 808 wrote to memory of 2192	808	SearchIndexer.exe	124
PID 808 wrote to memory of 2192	808	SearchIndexer.exe	124
PID 808 wrote to memory of 4732	808	SearchIndexer.exe	125
PID 808 wrote to memory of 4732	808	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1856

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3880

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2192
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b109a633c2bf3c698c5de5ae60960e97

SHA1
c43c4508fb77da3847622035c57da40df5b53725

SHA256
da840391c8f0fe8ece73f81261c1e013cd510976cdb03206a3e9bb39c0d78ac8

SHA512
3dbd986683e1dba27924d42f4ccc33270962c0bc966543db4f71b4e9eecb3b168e8c86f5f18d6a78b39df691e7948290c530aa71e090c25b6e9c24cc910e431b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
03393f866755335016e96f590b6a7284

SHA1
80fbdb8256c78d10cdc9742c23b519dc0b9d3d14

SHA256
5327d4f939b97261e6352c3ffb37f14e860a8560d78e83e99838fd6285d72b36

SHA512
3e077ae1e4e6ff917deaf3eb4abd238b0aa3feae55acbcbb480f0fe3ab493c1b3bb518ae136dc242ede571eb3f6a5983a3275e9c1ed2f1ee1ec06b506e1ed15b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
8f6a5b93fa39c0790a5930e3210515c6

SHA1
b4c9433deb94b9c9cbfc5720dda23629fde79929

SHA256
e477152e9ae2b0a9d249f5b4c59e68d9ae23cefdcf4139c186aea494539703f5

SHA512
687e12f5a6d68a9be1f3bf91ea29799d92f77227aab98d8327ca59394a8f03dd979f42b4d71fe2cc1d76a8d685c2ba19a26f1cad96523c68bbdf62aaf2b55e2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5bf2c3fe05ba4463a485a763ff3348f3

SHA1
e707300ac527a1c6568824b9bea4f625b1e34df6

SHA256
64855d8ec88e287e127428d79380b810472bea70b771416355509feaa65a50bb

SHA512
600046963a8b8cdc437cabdcc2332e06d7637b34489d36449aedae650ab1d0e0423635516279baa50872ff43275c4a98e87ef74cbd64744dd9cbc1f213383177

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9d995a7502b2f756bfadc8777af680b5

SHA1
f3d41013e895381473923dc075649d64bee8bbb0

SHA256
a9d7b3fa294d43aec24f9ed7fff7adcf3d501b3f512d2adf73efe8c3083d97a6

SHA512
c7daf8e85adf53b321fca1b2322aec2959fc79923710dd30e93392cecc56c51b342afce37b94804bc7d8d27abcd6e7afb14a19be229d1653bf2bb3815dd6fe41

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de33f0352397e8f7e6226b7aece93588

SHA1
55a9cc0123ec9efb685124cb2db1adc19b00f984

SHA256
c2514d1585963b4d5c93ea06fdf2fe4c7359ff12c1ba6ccb79b537c219c47e55

SHA512
fafdcb8af18a9458cc69f50f57bd61cb5272b3c650eac08bc310c17dea0d9b0757c3bc587a762f73ec886a77dc0cd5e7db75a01f330307e86d5d461f81aeca91

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6a9418983e7773db0754058892b862fd

SHA1
af52942c2ed9592c2620c41b9b2b9b28e632d52c

SHA256
e32947df891700d293bf7f87548823f41af63f0ca4013aaa350a297365a2248c

SHA512
cb79ac573c0e17803a155a1c7b468aabd9346d99bd3f727f66a25afee3364f2452b8db9a561d583345362fe64479d4c1b56989fc644d2454fc0b75f753782127

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0d67250e3ba134f0552ffc01d57c202d

SHA1
c38949a5a429c61a2ab304f38aca91cd65d06409

SHA256
6c9c43a221a8ae553acf2775d1cd23557d4d6d03b699c876602fc0321fb20620

SHA512
8d724b75b63f5b89ed278e73906c79d6a65c1aca6105b82a014c7e87b3bd320de1fad9f09dbed86247d456b8140637dc696dbf838f58aa970ed177a2e8a5b822

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ee2092b90e631ed206f9acc4f9108c37

SHA1
9414f10f062bed509c55606a847de77c7f19c0c9

SHA256
b686ec391098f8c72592cf3ef6679c3ee7e601f09a887500dedd476713f41b7e

SHA512
a17f9c51e13a05769874905f9e22a4a2e8bb429602cb20017abf8191d8dd5337fccb592cc9983e066a3369a824e4e9fe62a670f3ee9cce1613c1567df52c3555

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
0b816ce3819feab064609eeb26220560

SHA1
359bd5b42a2c928dc2fbdf4a3b838b8f5ca5e745

SHA256
763c153ee2c61bd47808e24bbca71a655f0864b04342206d1f6d49ef4ad53026

SHA512
1171c7822a28c5f3ba899ea983dae8ed8ecc9dab8ec06c80563f7d8becbdfca5188113b8cead0720b58db437872bc53ed536429576433ad7a27d1d20eb07a038

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
0b816ce3819feab064609eeb26220560

SHA1
359bd5b42a2c928dc2fbdf4a3b838b8f5ca5e745

SHA256
763c153ee2c61bd47808e24bbca71a655f0864b04342206d1f6d49ef4ad53026

SHA512
1171c7822a28c5f3ba899ea983dae8ed8ecc9dab8ec06c80563f7d8becbdfca5188113b8cead0720b58db437872bc53ed536429576433ad7a27d1d20eb07a038

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4c7408ceccabd942ae65e37d59e42559

SHA1
5ac82bbba77bb64a12c0cc47e9fcdbcef3d0a664

SHA256
5c6c1ffdbf4c03692bdef75ea75b38d6506b1bb4de00351bc77c3f1fc8ddd6d7

SHA512
cca1f8194452333fdcde82a1a97aa41817b81c2286b6c3ba6c8cd1c2f0d668560bd0ab335ee5ac6d2d4e3692393752a32377e380afd7e97b750151e8d13f76e1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
580be07387284f714716644b6ce450c1

SHA1
ea066cd7309219b76361f8a55ef9e59bfdf43d0d

SHA256
004c7b0f8dcd63315b830a1ec160facf0bc3ed6092c819da52a3d041c09fb8a1

SHA512
ebabc4c80b055342ef76ce0281d4bbf7bb146330f58157a4518fef395579161a9921da5e378097fd13def94d35afd6acbdca4aca47ea2a80ed31721ceab1951c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10d2e1a4ca6fc101a622ae7ce3484398

SHA1
e50a0bc44131b75d6e0ef705b138cf5539e14af2

SHA256
072172c6ad0e4261194f55a52e47804b51bf68507242fae80d48b7ae3b1c2806

SHA512
060ecced3ca2b1bfd75929170df574eb8ce8cfba77c6466077bd24e8829ceb6145b939fb5ac3b3575e9330039aed54bdf7dbb7183202611399766554adee5181

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0d1305c82e143b82dbdc4b2bfad42282

SHA1
e7b9104ee3ad1b0feb1d291aa5886e03b88abc03

SHA256
74fccd1778e6ab599b6b88f55f78b467ba25ee7c16e49340505623f864652b2c

SHA512
98317ce604c89b743cda0f6ce192d8793f609aeae8778b4c336ca40e3fb6cc32b168a327fd0ac81d9d8a31b27f07e120ad0924c77b24186bffed2e41600994b7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4a8011d26e4f55e668b752aa2529e1c3

SHA1
a03bd9ed4e23a686171d7f1c3c4c3d3a4bf4b4fc

SHA256
2d153ac993a19560fee674fb8aa2f3ed18913a0d7efee04f054a1eb8f30a3529

SHA512
e211a6139811253c635e92e81efaaf495bc20ac2afa35cacb814e631827a9fd9dd30a07879883b54e9f8d4a187603aa29b5dbbf7607bf4169df1cc0742759517

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e724cfb7b1c2dd5b63a5f22bbe840cdd

SHA1
42eb5521063b9a2a9dc76aee5936504a55edadfb

SHA256
38faec1a812d8737f1b6d2bb984efaba53abc6c5ef6f58487e95e28ba4373137

SHA512
080c9ff5c708aacfce7b5a94662d6b88129d358b5c0ebe37d3e6643073b7271ccfd0e4b8103910fc0d13e96ad07afe5d5c27dd19d9bfe813ecdcbec1f7ad6089

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
40f9f451bd8a5c019bf90663ab83369d

SHA1
20656a96be33e72013ef263b8ec35c8ca0df81d4

SHA256
c91de9cf9f0d24023aa708b164f24a05691bbf6adb381a59375daae81b5ca7b4

SHA512
5f2e0e96a4a77e3228d4873e28013255bc677521a61bcb80480aa4e0e867c5100a0554d6d35ce43917d9d33eb044d585fef2e0c78b676916ba2bf7c75c9aec59

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f7a0f71efa831e8092e14351b26032a4

SHA1
5cc6fb43ad17994ba6a6be656017a3d8f0c6a3b2

SHA256
afaaabfeb78f74a1e27c2ef1a0ad38f9469d84690a27850817c2125523a2df05

SHA512
60e52c99305a904acd7ea4f5dc2e72f553d4626ff18ed6b6ab2feed52a48b1e20d6af9818df2c86c2b5178e70faa6ceaf37013ef62586e8892b0da3547032b52

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
595d11fb27a4536a419cd0f9a69fe9bb

SHA1
9893de68a213872dfe35c0a0d8208c206306b5c4

SHA256
be99905c0e3142f93c38af5940bbb1805ab12e8f863640aef88768adf17cd7b4

SHA512
520fa13fbeac620e56f055095311425d965531f4e4650b48a8675634016ddd4fe70c3778cb69c0b448f61caf147d005a3f1a30942b4a912946e3221ef2adb88a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
947ee4944b416dd3c35b779e1978c32f

SHA1
bfbd897856f5d12fd7c92bfd453569e0488cf130

SHA256
9f67f00e925f1b8f517f16493df77ada337921fd6ac8ec36590927a1b8d55cc5

SHA512
f34eeda54accd79b51f15bd24be25979358f599ff64de39b533d13714a6c92f709605d876cf7a9de8fb0d2688fc2c92d6c82bae81365ef238dc894da19381314

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8f3f5ced2869f2484a6726c533de3639

SHA1
c16007d50c4673e2d1436db42872d514b110ec0d

SHA256
d8b7b2ecde3a1754b43a41976c9ba7ae0d53b2b225554fe2cc54038d881de369

SHA512
60e7a83ec55a65549601bc38ef594b208c22f99ecfc8410db198e4b3d306e98e8fe765e21dcd35bfa235a6b608bb8bd4fe98bd6caa735777638243db60e86cd6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f95902aaabe00d312272cf17b5bbaf54

SHA1
5cc866ccf00d6918be12218958ae4aea71d2b8fc

SHA256
d4985602728fddb711b0a4c1f8aab0bc2bd063bb2972408d8806ca5d267c1b11

SHA512
b6cca3889aea00c38fe4ceb4c7b7f8267855c8ca4c4b991df46b2aba5d30b21f7f402c9b3b179fbf7db02e4f8419b542db9487f4d1ccd617fc2ad883e537ccb0

Download Submit
memory/224-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/224-476-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/648-433-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/648-232-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/648-237-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/664-376-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/664-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/808-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/808-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1136-411-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1136-616-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1460-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1660-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1660-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1796-583-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1796-339-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1856-566-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1856-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1888-139-0x0000000007780000-0x000000000781C000-memory.dmp

Filesize
624KB

Download
memory/1888-136-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1888-133-0x00000000008B0000-0x0000000000A3A000-memory.dmp

Filesize
1.5MB

Download
memory/1888-134-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/1888-138-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1888-137-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/1888-135-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/2388-259-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2604-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2604-188-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2604-187-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2604-180-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2604-191-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2624-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2924-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2924-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2924-413-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3100-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3100-223-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3100-216-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3100-227-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3100-224-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3104-317-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3304-185-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3304-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3304-170-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3704-359-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3704-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3704-162-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3704-156-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3728-281-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3728-522-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4240-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4280-201-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4280-392-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4280-195-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4280-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4464-144-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/4464-149-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/4464-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4464-166-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4464-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4480-279-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4732-734-0x00000255920B0000-0x00000255920B1000-memory.dmp

Filesize
4KB

Download
memory/4732-823-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-832-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-831-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-689-0x00000255920B0000-0x00000255920B1000-memory.dmp

Filesize
4KB

Download
memory/4732-688-0x00000255920A0000-0x00000255920B0000-memory.dmp

Filesize
64KB

Download
memory/4732-722-0x00000255920B0000-0x00000255920B1000-memory.dmp

Filesize
4KB

Download
memory/4732-830-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-788-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-791-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-806-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-829-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-824-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-825-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-826-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-827-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4732-828-0x00000255933C0000-0x00000255935C0000-memory.dmp

Filesize
2.0MB

Download
memory/4852-337-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4944-480-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4944-625-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4944-456-0x0000000000DA0000-0x0000000000E06000-memory.dmp

Filesize
408KB

Download