blustealer | 2dbef10abc332d28d4a41f5ae426d16ce7fb0387ecdb86409fab46eb8cc270ea

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.4MB
MD5

319a8140493686ae81266875c0c3e06b
SHA1

1e689c700794b8545ed722c0be7f644e86a37ec0
SHA256

2dbef10abc332d28d4a41f5ae426d16ce7fb0387ecdb86409fab46eb8cc270ea
SHA512

18410bbf80641bb2dacdd078a5d5237efe6ee50cd9347ba7d4025035216bfb6c09a3c4aecbf0eb15a931773da43c28f6310cb0d2b79e1b85db69ef70c39b96cb
SSDEEP

24576:lgwaY8W87dC0QjhfDggweZKP0Y649fFlAv7Z16hiTucbqE7eNffIe:mLjWsNQtfcgvelffAv7vjyl

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1084	alg.exe
432	DiagnosticsHub.StandardCollector.Service.exe
4252	fxssvc.exe
4264	elevation_service.exe
4528	elevation_service.exe
1640	maintenanceservice.exe
4620	msdtc.exe
3864	OSE.EXE
1412	PerceptionSimulationService.exe
2776	perfhost.exe
2704	locator.exe
4972	SensorDataService.exe
2800	snmptrap.exe
4492	spectrum.exe
2384	ssh-agent.exe
3420	TieringEngineService.exe
3808	AppLaunch.exe
4044	vds.exe
1276	vssvc.exe
3972	wbengine.exe
2160	WmiApSrv.exe
2940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c955d684c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 488	4500	Purchase Order.exe	91
PID 488 set thread context of 3808	488	Purchase Order.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Purchase Order.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e682fe218370d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ae8b11c8370d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008571ad218370d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a653f88270d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b9776198370d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b18b3208370d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe
488	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	488	Purchase Order.exe
Token: SeAuditPrivilege	4252	fxssvc.exe
Token: SeRestorePrivilege	3420	TieringEngineService.exe
Token: SeManageVolumePrivilege	3420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3808	AppLaunch.exe
Token: SeBackupPrivilege	1276	vssvc.exe
Token: SeRestorePrivilege	1276	vssvc.exe
Token: SeAuditPrivilege	1276	vssvc.exe
Token: SeBackupPrivilege	3972	wbengine.exe
Token: SeRestorePrivilege	3972	wbengine.exe
Token: SeSecurityPrivilege	3972	wbengine.exe
Token: 33	2940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2940	SearchIndexer.exe
Token: SeDebugPrivilege	488	Purchase Order.exe
Token: SeDebugPrivilege	488	Purchase Order.exe
Token: SeDebugPrivilege	488	Purchase Order.exe
Token: SeDebugPrivilege	488	Purchase Order.exe
Token: SeDebugPrivilege	488	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
488	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 4500 wrote to memory of 488	4500	Purchase Order.exe	91
PID 488 wrote to memory of 3808	488	Purchase Order.exe	118
PID 488 wrote to memory of 3808	488	Purchase Order.exe	118
PID 488 wrote to memory of 3808	488	Purchase Order.exe	118
PID 488 wrote to memory of 3808	488	Purchase Order.exe	118
PID 488 wrote to memory of 3808	488	Purchase Order.exe	118
PID 2940 wrote to memory of 3924	2940	SearchIndexer.exe	119
PID 2940 wrote to memory of 3924	2940	SearchIndexer.exe	119
PID 2940 wrote to memory of 4680	2940	SearchIndexer.exe	120
PID 2940 wrote to memory of 4680	2940	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:3808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c1441c90f6b1ce705d1c38acc7d84d36

SHA1
9d3a5301e9c9f3bdec1e6dbe07d450bd35189183

SHA256
aeac22d18d6a4132e1e2c57b5b68dba3cb8eac1a98d66b56b367a00cb30f97d1

SHA512
2f5f00f1a64b227624ab705c5d7ccfe1ac3bb08170de80868e56f197ce2175483b0eddf10adaa02c43f82436b5c4ea78f7e8b16caf1c5d3a1622ca2985b83d4b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d72562f67a4f92e6d6453d25cce43308

SHA1
1251dad63a21df165c103af2c711ae8750c9d7f3

SHA256
b0c337602e4e1051587b5b8bab6597982f67f64a5ce466c190bb65a6fde272ae

SHA512
f1056b71b9962c5d1c8fddeee413e3ad53258790f2b6232d747fbc97f30a37133f1145136e8f14004723cf02bb0c687ca44b9be14111889312b99a09b604c876

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
94f5a47de937dff8924fcff895fbb5df

SHA1
70a6ac5fbe893f4c774a67611111382c4a0d00ac

SHA256
e16d73c066421f2623dbbf701cddf24de183d0b32272c363e9bafdbd470d6663

SHA512
cee81cc7a02c44f633599b2c86ceacb31dc4d54874686d4b8e306974a3b7c26f3821dd47d118e2d99d5e9fe16961033e1001779aa0342ea6a75c4716248b6a88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
db9307c38ab85fbf084e8bb18acdad20

SHA1
7c1d2c9d443fea245f276cb80588b5431758c60a

SHA256
9e22d33988a5afcfa0bd710ecd559bc5856066309e75a7b33ab80696f5ad5de2

SHA512
d854a0cfefe3fe59de7e4ec26bb4ef5b9cf4ceebc13da60e0caf1aa8b15fcf09cb84be0c433c22b2098063c653834ed9b5ba979dd0b8ca2b1261ce9e01638944

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d7652fe2a8fd9d7d3f42755d32ae8ca

SHA1
84a18b6e22bb5e7eef3e6196966ef27c01186cf8

SHA256
ecbb7a1f0b77b29027ea3f474eb50486aadff1e07438b80d9d7342784228986a

SHA512
5ff4e2c93ea73291bc236dfecee2cb7cdc017d20031f90589f24f263af6442f1a8e0b03f62ae6b29ec6550434a659d748bef3bf83a0781f41be27f1a246f0ae7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1bfeeb731f9e574f593d3e7b79563876

SHA1
d58627ea6b105fd8479bd4b3d225c7d8169433d0

SHA256
2eb1c29c30858da607d04e73d41fd5862519fc71d5b0d23b5e136140ab60bf73

SHA512
d892f6b273df2de03b411f10158753a2e7259719a2833666dbb69874f25e58d82d3728f3f3682e2db869579edcb1a5c0eda0025ba282f1ee6d6e2846792d9d8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
226fcdf776afcd504a9dab8120be9b5b

SHA1
b53b208953a8d75d22cbc7b5912ccbe128f5004c

SHA256
45843255e1a1becc6f85995664767f38035773acbbb275b5512a45351a846603

SHA512
2398fef3480c59443eca7356fbfc5087273bde665c5a8fe313605bdde499f6fa323d73349178d3a34f1e4e69b2e4a032ba64d5d3d3e20af1e3ee47cb7a28059d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
577130e761991b01b676780f1bbc5b21

SHA1
3c888be4e9a477f99368cd33c0eb47191a462958

SHA256
914f80680516c45b5d0d90014ee980aa7cb50690709365e3af6dd8f5e1e75986

SHA512
b015a67ccbd141f4584c48d3cc171c3c89e29f629bc506cd744c4e5d6e4f1cef1cc144136dbd6c9a1ab5c2065749cc6991d098fe0429f3bc921d6852a49bdd12

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c6982ce568762e70d1f28ec2ca7cd1e0

SHA1
25e0dbf4be441e94e807c04eef14ae37789eff89

SHA256
4a15c8495e1b62f5f87c598d68be6ee0857631d1809c1482f33fdd7c3ba48d7e

SHA512
09b2836f9f12e4c3e39761749cde0dea96d347f1c61122c2739076a1b9ace8f68d6f7c79468292e06ce1817e020f071333ddc723c94ec9b64da87820b4993a9e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3725d90ec1ab485dd5f80807b2bd80eb

SHA1
a9623404bfdf71ae1c4e19cfdec8347eb2c99596

SHA256
64932d44beeb677add44164818cef6092bc67d18cd4083dd62507721147eb1bc

SHA512
380437ddc328f1bd87e5265479a97ed456fe57494699c60e351c7bbbc3e1ddda0db3cea2d8a98f1f70e6acdf45ea3936faeedbdc129e115de26e93e9e0535b18

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3725d90ec1ab485dd5f80807b2bd80eb

SHA1
a9623404bfdf71ae1c4e19cfdec8347eb2c99596

SHA256
64932d44beeb677add44164818cef6092bc67d18cd4083dd62507721147eb1bc

SHA512
380437ddc328f1bd87e5265479a97ed456fe57494699c60e351c7bbbc3e1ddda0db3cea2d8a98f1f70e6acdf45ea3936faeedbdc129e115de26e93e9e0535b18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a482a5e77e4995ea6d66afc3e1816e1d

SHA1
07e68a20e26acc85e2f78a3cc9b303e4a18a7841

SHA256
5f9f85102c4665d41a4c7f6c6f2bc1030c1cf3bc0bec2ea10c2dfde251df56bc

SHA512
5bebcafaeaf67c4b3b3146c9d148672adf25b2a0366cb7b811b1f44220d179825ce74905a6d2df33e583e4d63d450ee1edd4a0c988427c72383d81eaff7045bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8956d042fd636506a5f7ee6f2c74e543

SHA1
ddcf9feca2d7e59e8d1d2def73d63ffde7898d3c

SHA256
15a90f3ddab7043c51909af2c12602618019f04b28dc916f5d8efa407993e0ba

SHA512
0e6fe19f47855c085bce412a1ff1acd7abd913422c01b8aac7f726f5a9ff6d965c77c442dde79a8da7fc6184d7b98f5401bfb00b087c5872b4fd273076a625ab

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
263c8733b799edc1e861777f01fc9cc2

SHA1
17b0b466bd8a5cacfa97883c4629b401a0dbff75

SHA256
22122a4b45fc45d9e205e27b159b636c685996616d20152eded1c9f80db880a2

SHA512
d2e7538919ded52dfaf291d9d9c7e6d0bd3d000bb6b75d8ba0609e3adab416e7f18acca039f9b381c574dff75e842e89a211fa1f199a70b6ac3db180b0865406

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b8cb3672301da407f5150079f741193b

SHA1
ee4c84d1bdf0e6ace8edffea063a6fce1eec9949

SHA256
0932e3ae62595e94a0287c9548447586ef92d0e432223c682699559c545ff23f

SHA512
c111bfd42a1ec9d1050ea0d8017fa837d9cb860f227e1eba456bac4d9534c6d4191b2ded75fff43465cd533a3ce01b598904fccd3c4a6177cfbea8b57e2dd72b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c1cdba0d0cabe6a43eff78465e093742

SHA1
c5c81d0bab7d142cbcaa07d885dc03406e97fede

SHA256
d7901cf6bf43d15adf0c617ac3a9b8ef847666dc3f1f580eede09803ff9692e2

SHA512
a0aed3bc30d3d4aeacf1c60f33eb055baad4237f4699e7c1cbbd89e311cc90357fbd990ead2d7fe8dc8f545899b2b1bdcadbf1a6f8d2d03293e0db93313e473f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2202b0d1359e4a74c88ce014dd7f7930

SHA1
055c24ec260190a752c97b6f75660238726cf787

SHA256
fc2631a682ddfc3b182a23f1f2240b15c82c97c418fb759586fb47f4bceb7b9a

SHA512
f1e6bf51069964a3b7a86d3bf4795f45954794cc95adf08726fa82d0c5c94bcf733a368db8adb2cba30fabcd3657668b933b2bbc6e996903c4963d298cc98152

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f8c4c88d96401c288a5df8fe6cff04f0

SHA1
ec7c84ef1f2d6eb3c7ab8c0b742daef47eb147a2

SHA256
c983fd600ae1c79ab6cc7db2db610363cc759add04c46f6ca6a16c7cb75f4692

SHA512
4ade8874eab94f9f10b4e0bdd1dc3500dbe7242b774980090ac95007b09d82e0f04a4a57fbc1ddb86bd2afdbc1b3ff50426921e0eaabd8e72323822d2bae10bb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c218fe0fb74f077ed171bca6675042c3

SHA1
8769320e15d955e211e018666eca36f0e772a2a7

SHA256
0ae64e90294b47ad39fcfdc4cedd0df196293aa650e3b19aa7b79a9fc53bf358

SHA512
5f36419af54cfa666b755563b21dc315c58e7f7cb320e220f4eae08669db402a27bf95199298fac59e2f9ab3e72be2203ad7df7ac30629712295535bbedc70ca

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
067a91629a2bd33fce2d48d266d8b2af

SHA1
bbfabdd7f65b403c2c37146f26ff93a315c4a983

SHA256
240190dc9c415af10da91ed234b8916294279583d07ae9697749a304a75772b6

SHA512
a1e1f471556901535275757c194ba0b46cd620514ab468d5964b5384c119d3bcebeb177a42022b5ff559d9fd58223407210b47181a640f6dc1850a8209433b7f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
41fa04436a2c517943c8e13a37ac2680

SHA1
8f666252adc4d68646809123c36cfa415994de67

SHA256
a892c8c28436a534b1cc63750b620a8da82d963a6f819ec5044f44d436062dc2

SHA512
fd139ade4d22709d39aa22ed1d3f43fdb00d997dc4d262cc954c254b6c4439877599eef4e523414ceeebf18f6e2d2fbb1b81a8659fb3e1d7951417e6fbcac9cd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
059ef4742258bc78f617ea476f138aaa

SHA1
e5e1541cb670d62e0d810b96e8bd61661f76b068

SHA256
3a25e0675b4379a84dabb662d1fd44ffa0921199bf89efd7a6ee53fcea535c8c

SHA512
c1db9db7c3442e3938044114958f9a1580c8e0f75b0b2fc545fe7c4a1d8ee5e7259e20c72c2fb3b35b28d552d83d399c93c1d6a83a2d8f801098795151ee8508

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
57754d82b2bd2eb667412d7423f83be7

SHA1
d9809fd8e647681421f2786fba7a0617ee99e3e5

SHA256
a5e0630f2fb9a098bb3edbfff2a71c11ac014db5d55f099abedd5dc86edc5b3c

SHA512
afa7917ed6f5ecde6b6865d759514fec863ce53e567539b426677c821963d4a8a92676ae8474959af8644da606139354a01f6305804718a120828d77cd99b554

Download Submit
memory/432-171-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/432-180-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/432-177-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/488-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/488-158-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/488-150-0x00000000035F0000-0x0000000003656000-memory.dmp

Filesize
408KB

Download
memory/488-145-0x00000000035F0000-0x0000000003656000-memory.dmp

Filesize
408KB

Download
memory/488-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1084-157-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1084-165-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1084-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1084-326-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1276-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1276-388-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1412-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1640-218-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1640-224-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1640-228-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1640-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2160-608-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2160-408-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2384-582-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2384-330-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2704-288-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2776-287-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2800-568-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2800-310-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2940-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2940-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3420-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3420-586-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3808-513-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3808-507-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/3808-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3864-249-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3864-461-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3972-390-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3972-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4044-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4044-365-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4252-205-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4252-182-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4252-188-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4252-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4252-203-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4264-386-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4264-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4264-200-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4264-192-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4492-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4492-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-138-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4500-136-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4500-134-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/4500-135-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/4500-140-0x0000000007110000-0x00000000071AC000-memory.dmp

Filesize
624KB

Download
memory/4500-139-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4500-133-0x00000000002A0000-0x000000000040A000-memory.dmp

Filesize
1.4MB

Download
memory/4500-137-0x00000000052F0000-0x0000000005496000-memory.dmp

Filesize
1.6MB

Download
memory/4528-405-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4528-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4620-247-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4620-232-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4680-657-0x0000018EF8280000-0x0000018EF8290000-memory.dmp

Filesize
64KB

Download
memory/4680-658-0x0000018EF8290000-0x0000018EF8291000-memory.dmp

Filesize
4KB

Download
memory/4680-659-0x0000018EF83C0000-0x0000018EF83D0000-memory.dmp

Filesize
64KB

Download
memory/4680-660-0x0000018EF83C0000-0x0000018EF83D0000-memory.dmp

Filesize
64KB

Download
memory/4680-679-0x0000018EF83C0000-0x0000018EF83C2000-memory.dmp

Filesize
8KB

Download
memory/4680-744-0x0000018EF8290000-0x0000018EF8291000-memory.dmp

Filesize
4KB

Download
memory/4680-745-0x0000018EF83C0000-0x0000018EF83D0000-memory.dmp

Filesize
64KB

Download
memory/4680-746-0x0000018EF83C0000-0x0000018EF83D0000-memory.dmp

Filesize
64KB

Download
memory/4972-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download