blustealer | 3ed0594f9fef04feeaec1abc8f1ad0b85c75df614ba09377e394321ccb16e586

Resubmissions

12-05-2023 14:28

230512-rtgxxadd83 10

12-05-2023 14:17

230512-rlq6lsfe9y 10

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.4MB
MD5

98ac95047944a90076ed642f2b56fc7f
SHA1

e34b95acbdbead3a7057f6e42673bed24aa573c9
SHA256

421845b1fbf3828e4f4fe3e7147f501a422bd6ae755e388a089c67d005770b58
SHA512

8d415d64193df913602752c3004a7a24d7bc0ab29129eda9a1e9653e7cbfbaccb5ada7a1aa4a8b4ea81ff7fc2696fea242caf722e655b43f41cdc952738c5f74
SSDEEP

24576:N8whh2b5/1L3Y5zhzKSYIb34DSNCZlk0pRIIV6Kkcd4UiivgEvyV1jBSH:w91Lo5zgSYUI24ZlkwRI+9WUiiv7vyX0

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
2696	alg.exe
2304	DiagnosticsHub.StandardCollector.Service.exe
4640	fxssvc.exe
1696	elevation_service.exe
3932	elevation_service.exe
4432	maintenanceservice.exe
3180	msdtc.exe
3148	OSE.EXE
1976	PerceptionSimulationService.exe
1392	perfhost.exe
3788	locator.exe
348	SensorDataService.exe
1592	snmptrap.exe
1492	spectrum.exe
2732	ssh-agent.exe
4060	TieringEngineService.exe
3556	AgentService.exe
4736	vds.exe
4764	vssvc.exe
4664	wbengine.exe
4084	WmiApSrv.exe
4452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc1dc278c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 3352	2072	Purchase Order.exe	89
PID 3352 set thread context of 1632	3352	Purchase Order.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase Order.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000487bdd72ed84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061b45171ed84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dfbcd6eed84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000733c5e73ed84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042a3c572ed84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067f4b472ed84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d99ac6eed84d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054b8056eed84d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe
3352	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3352	Purchase Order.exe
Token: SeAuditPrivilege	4640	fxssvc.exe
Token: SeRestorePrivilege	4060	TieringEngineService.exe
Token: SeManageVolumePrivilege	4060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3556	AgentService.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	4664	wbengine.exe
Token: SeRestorePrivilege	4664	wbengine.exe
Token: SeSecurityPrivilege	4664	wbengine.exe
Token: 33	4452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeDebugPrivilege	3352	Purchase Order.exe
Token: SeDebugPrivilege	3352	Purchase Order.exe
Token: SeDebugPrivilege	3352	Purchase Order.exe
Token: SeDebugPrivilege	3352	Purchase Order.exe
Token: SeDebugPrivilege	3352	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3352	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 2072 wrote to memory of 3352	2072	Purchase Order.exe	89
PID 3352 wrote to memory of 1632	3352	Purchase Order.exe	95
PID 3352 wrote to memory of 1632	3352	Purchase Order.exe	95
PID 3352 wrote to memory of 1632	3352	Purchase Order.exe	95
PID 3352 wrote to memory of 1632	3352	Purchase Order.exe	95
PID 3352 wrote to memory of 1632	3352	Purchase Order.exe	95
PID 4452 wrote to memory of 5072	4452	SearchIndexer.exe	117
PID 4452 wrote to memory of 5072	4452	SearchIndexer.exe	117
PID 4452 wrote to memory of 4868	4452	SearchIndexer.exe	118
PID 4452 wrote to memory of 4868	4452	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3180

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2928

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b55564e3cb90eb7dae46599dbb2f3137

SHA1
21ebef5ef54d8da02395dba286f08e8a42aee1f4

SHA256
7fb95cdfb9f8308e2e427dd21fc257d30b307227800ab574c3004c9a755e3f11

SHA512
ed33184ffa93f9dd163217fb19714c1c524d1e9ef08e5366c47ae5fbf0887fbfd2e4efb58f5414bafc2b600a191a1abb9f19df6bfc7bb7fa49b2ff0cee1b15ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
65f3a40617cab74c46e3f48aaa287a51

SHA1
77e44ce81f1632c5e5ae3b4fdfd4688723c8978f

SHA256
7e06889df62019567665331d261eb56dd74baa878b9902efc601de05715518b5

SHA512
3e1cc0a6a4dc358e7f3541b6274ba8487c99ce789dec489f8984754e82511ed0febb02f9168ca7754ec36ea90afff639ace46251c92e5b232843af1b490bc417

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1d472011a78ac789fcf7b90e9614a735

SHA1
12a1446fc818de0426420d87a561f2da60128090

SHA256
bdd71e49585a9947bd0a5f6523688220c58b1bf3adb55cd253be76bcbd264e2f

SHA512
05dc682bfbf089f6cb57ab91ce3890b04a94968e444023e40dc9363ebfeb89dd7c8619ad75330aecdd8a99e306331b69b795670852b7605a824e1338938a5194

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
eea66c0840a14b491b582355e756498c

SHA1
0cf9c263010a1387b7b84ecf47a284c5c7f0a3ec

SHA256
9fa50f0b6b3be6d4c059268657ba6ae0963736f2a9b1dce87499a0d61344ed15

SHA512
d88712ee60771994f296d617ef22980dad0e6703ece31ebb5714756f891841fd0c8e8d2eb366c6fc56e6da39cebc406791c0d80608a3a13eb1ba67575ce8644e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ac143c78e15d4793abaf738843699d46

SHA1
bf119755e0ca8db1a3b6caa3b4e9f8868aec7a4f

SHA256
e4ef832278c64a619097552db731081fa169c88ef67b9c2c43a247b91a116002

SHA512
418489cc8fb015e17dbd06a7d384ec8acf98eace1de307545acd14e13aa61af12cfcb8c4591b12c84d0c368b909b81dc71b7acf5fb89582143c9659bc55d1886

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4995c741e833e66fb42e7c738a397b1f

SHA1
317835b0c308e3b4496c516d429d0eb00560ff47

SHA256
94103578fbd126acd13343d7a17257dfb3735742d0ffa885a4f4c3d139451d44

SHA512
25399aa9413b093476fad94a4df4b85b3bed796985cd2245c9de76c4b3e742b16c07f02eb05880b0c3579fe4ec0a3372364151c58fbc9574631324c460d2ef06

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3a8fed2048d92213b5078e20f68fd721

SHA1
e68ab021f552849715c789db26ac6bcf34440828

SHA256
a4265c0cf18cd2f4eb3b954fe4f6851596a0b5ccc187e84712241c6616425e53

SHA512
323782f139e88e9e467c35d7641629394d7416316b2c90d07e1b5f49ef1802e5a30c87411086506a5db159da73a0cb0e00bfd21bcfabd63b78a8800fac4b0319

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0ef5f8213b3023f0338907556adde78f

SHA1
01b8a379f0fee4c724c5eb5f3be82f3589164328

SHA256
499e80b8f3c108ecba6361315f8afc716bd666d60461adbda0c3d62f28dfc19f

SHA512
55041a91302c7d5b42a710ad439537a4ebb05fbc16fa00e3343d164166c485675e62a865aefd932e0679e960cf0349a82beac0f353f1f874a59a032614777d8f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
aa3e2d4cc238bb370739205002a10b1e

SHA1
7fa1a0aee9fbb842233c79058adf50d186d23a46

SHA256
ade8545c7934382d05b06a4d5a182fc347b8a970b780792b822c9eccef74bc51

SHA512
edf8985c059293f6a9f622e63d55841c04fb8a7a68b4ad3953e100d5c8a26545cc27efd4b0d7b07b9d434735527c599d92f45450453bb441494881902f2c0fdb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5d9133bffa8bb613633467f09e0cf611

SHA1
bd244df64075cf82949fa1a1f5af4c70a96dc34e

SHA256
1508c64ff1cd209e7e00d0fb140936bea6a939498da1f97babf4797cd39de174

SHA512
3033053bd8ecf872a90648f9a354bf8789de3ac6d598232d911f1adf9e240a2ab0affe28f539b71895b199cec100380e1eb8f1cd9fa3d03d6c64e95dcb0c8904

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5d9133bffa8bb613633467f09e0cf611

SHA1
bd244df64075cf82949fa1a1f5af4c70a96dc34e

SHA256
1508c64ff1cd209e7e00d0fb140936bea6a939498da1f97babf4797cd39de174

SHA512
3033053bd8ecf872a90648f9a354bf8789de3ac6d598232d911f1adf9e240a2ab0affe28f539b71895b199cec100380e1eb8f1cd9fa3d03d6c64e95dcb0c8904

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7f42f238ec918e5f3621e76238a995c5

SHA1
83c93359394f4b967f38bdab1f71be092b4959dc

SHA256
503f0bec8630ff76a43795e2bfbe8f0f7fd68775094b064aa2437a0873e1afb7

SHA512
9c78286a5101acd231a5f41264cd562cf712a85cef6d67c6f50e745ec009fe74f788a8bb262bff8cbc929ba5f566013c5a8aeaf4a9d28cfda77d6895bf089021

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86ddcd21e1c17dd732c8c6d507de2b95

SHA1
a9df91f8c5cbf5519fcc1e1417f1cffb2f2907f0

SHA256
01425d0b7208cf4895e1cc88497f157917e7a885e573ad3d72d47bcbec097262

SHA512
1677e8146fb07c967a55fe64c28cae43591215d18e808c2c2fc8849c479cc15dde081d7c6d2738391557db99576fc01b71b3c67cfca5ba72cd62458d43821e20

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b3f52e0acaac99cda5ff9caa2e1b80d7

SHA1
7ccdeb5db8aa1f40b6eca64335828c3fc88c9a87

SHA256
0c47afaf9a455d42b51a7771731c81e068dc6fc394b84df2af0c883c0928322f

SHA512
298f791e71fb14772f2db164b4bf8e8343f941020269ce765ffe04e85854e2e05f5cd9494196492329500c1ea17061a620f9895d5349301a971964932cc0325e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
97c1449287f138db9d49416886e84118

SHA1
1178b58e96fecfd26d8175d1f5174493ea982c04

SHA256
bda20728770ac3eee3f6b0dbf3c7551c09519c025e34021400d83b5910b2f273

SHA512
fee757adb596243d758ff6d0d85101c79ed7abf5a785e1efcf8e5520ff1d2e1c88e2bdeb568933172670c0789ef6f8b39b3aa46804507be5e80a799b025caacc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
43ba12e62d2791983ebdb3018456743e

SHA1
7aad21da6092c465d8913df07b9e8b34874349c8

SHA256
e2e4c5a6a4d2fcb3a114ae614de57f32d5f72248a124f79da78902921aaa0ae7

SHA512
a855c5feae6cb7a5cd854d6cacfef3740ab901d3cfe7864575f4bccbf50ea031306e4b5ee8128b2a4eb9b023890367b2c31b43d68f2f5f2c5bd852c0cd822f4c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
63674e50b46bc3c408575c34624f0e11

SHA1
8255fe1337e46ea05ea1df1dd23f1016902a57fa

SHA256
bf3ed58bde431de053ba020d2bf8d2c7353829159e38e2658bf594ca8ffd263b

SHA512
bee3ca84b784445e096fe14d794b44b5cc49700c388eab4c09bf277a81e6a4af842ec114aeaf03a0dd781a027c100d0ff52ddd95cbdba90370b57687fa245ae1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
38d21bd5cbea794d144ab4cd073b8034

SHA1
81f4e5e6d73f642e21b529815af3b5389d291788

SHA256
b72cb1836360c74c524099d978b6a6b935733717439b54026d0a923011b41c44

SHA512
8b71914dc409074df15d89c769d56ea0db65b71be62358d74ff62998c9b87cff244876f0a5421feccda6a7c7c1225c0561758ee6b70cf44e8ea59214560f5072

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a3c16b3ac5579ce51e34f8bb77ad4b11

SHA1
eb6356bb7ebcc1686157b1edae166414a3360e70

SHA256
84748a7ce108b89981b2372932198dfaf45483845deeb475f124851477cf7a4b

SHA512
de898c740ca908e6cf996f7d19d97b562067c951e6c961d00a7219bf0377fc6114579b000a34ea6e98fb734faa30aec25410c8f2d611fe3338fe7c634cac1658

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ccd3a5cc1fcb18018eca927ce3c0e7a2

SHA1
4b1116c03bad120b499a11dbd771c424e585af5b

SHA256
8e2da8c14608747ba9e5cc557f5ee290defcbfc116a4c18a48b8e5224cc4fa9b

SHA512
ac874fc586fd6450e0d34b87c9bc2b9e7e09df07642e7d21b0f75b138115183994e84c3d71d68711ca39c1d6e154d5fe4df68d2ce6e7838827d9f19217ea49fc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6af7f4c31c2274b9be7bb22ddbce0d39

SHA1
7284f5d0988e311f9118a5ae41709ba3467fd586

SHA256
c541daf7bcffa9bc10f7629fc45d50baf5b5f5f31151f463a267e778d9f641da

SHA512
5e27a45e8b2a055eb2bda9e5c29bd30b862c6607dd94131ab88849826f852f03f93a42897a27bdc94d2dbac1692ec9bf8f12036e1ba83d7df09a99dda2daaf82

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4b72430fd8a366eae2982ee3a583e998

SHA1
9369155bc4379b025d66d99884376491b24dedb0

SHA256
ca4813d33ac64d4f431d9b8d17a45b038f450bf248a210cb16bdbadca71115bc

SHA512
52d4449f1d8604a09d95e704bf4141e156b21f1770a8835abe07f2b0c77b4cb14fcaa94a317caca80092b730891e1e6ab7dddef85d64d5e51d5d8d9c0b0acc03

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cb9bf6beb2c972b634a6f997ed0c74da

SHA1
ea465f0f8ef6c0f6a75155523625e54dc920af15

SHA256
21fa54a966cbf3864194f47bfd328f4932e30831cc93fd6b200dbc3fecebd0fc

SHA512
ed1477c51c9489a7bd350bdce98fded6329b41a1493025232303084a88d10dd5f7bbc53850a1f5e42876f24e5cee0ac0a017f9a23cb3c9eb2448c65661b0096b

Download Submit
memory/348-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/348-534-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1392-274-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1492-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1492-577-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1592-319-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1592-553-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1632-204-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/1696-192-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1696-288-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-214-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1696-198-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1976-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2072-139-0x0000000008280000-0x000000000831C000-memory.dmp

Filesize
624KB

Download
memory/2072-133-0x00000000006B0000-0x0000000000816000-memory.dmp

Filesize
1.4MB

Download
memory/2072-134-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/2072-135-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/2072-136-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/2072-137-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2072-138-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2304-176-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2304-170-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2304-188-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2696-157-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2696-164-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2696-163-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2696-277-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2732-575-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2732-337-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3148-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3180-289-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3180-234-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3180-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3352-150-0x00000000017F0000-0x0000000001856000-memory.dmp

Filesize
408KB

Download
memory/3352-276-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3352-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3352-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3352-144-0x00000000017F0000-0x0000000001856000-memory.dmp

Filesize
408KB

Download
memory/3352-149-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3556-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3788-315-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3932-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3932-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3932-287-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3932-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-355-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4060-590-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4084-425-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4084-628-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4432-229-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4432-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4432-225-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4432-218-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4452-427-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4452-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4640-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4640-180-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4640-200-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4640-186-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4640-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4664-397-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4664-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4736-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4764-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4764-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4868-686-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-716-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-685-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-662-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-663-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-665-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-664-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-683-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-610-0x00000262BCB80000-0x00000262BCB81000-memory.dmp

Filesize
4KB

Download
memory/4868-611-0x00000262BCCA0000-0x00000262BCCB0000-memory.dmp

Filesize
64KB

Download
memory/4868-703-0x00000262BCB80000-0x00000262BCB81000-memory.dmp

Filesize
4KB

Download
memory/4868-704-0x00000262BCCA0000-0x00000262BCCB0000-memory.dmp

Filesize
64KB

Download
memory/4868-710-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-711-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-712-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-713-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-715-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-714-0x00000262BD3C0000-0x00000262BD3DA000-memory.dmp

Filesize
104KB

Download
memory/4868-609-0x00000262BCB60000-0x00000262BCB70000-memory.dmp

Filesize
64KB

Download