blustealer | 9d603074042f5d594bc2710ed1545ce7648f35ea0ad789ed1ffbfa2d294faf55

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2023 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-688930021178.exe
Size

1.4MB
MD5

bd064f5b67dcb30de45b19e11d424f53
SHA1

cfe03d52e6af08c9ad2d7c7f3b7afbd4d7e5794d
SHA256

9d603074042f5d594bc2710ed1545ce7648f35ea0ad789ed1ffbfa2d294faf55
SHA512

20a2b6c6bcddaa77f5a5b7dee4d1a6bc14eeae093cdd5b20cdf2567606f3253d48cf60463f6aa380bf43d541733cbb06543fd21ce271821311057e250c886cb8
SSDEEP

24576:+JDy73Le60VNu1ZtGYNitrP7DVvIiK7vog0soXrmiSyqDG2whTfrO:+U7q60VNu1ZtZ4tr7DVGog0sovnq2zO

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3324	alg.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
752	fxssvc.exe
1036	elevation_service.exe
1132	elevation_service.exe
1140	maintenanceservice.exe
3024	msdtc.exe
3496	OSE.EXE
748	PerceptionSimulationService.exe
460	perfhost.exe
3524	locator.exe
1404	SensorDataService.exe
4692	snmptrap.exe
5044	spectrum.exe
4840	ssh-agent.exe
4192	TieringEngineService.exe
4120	AgentService.exe
3492	vds.exe
2896	vssvc.exe
1440	wbengine.exe
1568	WmiApSrv.exe
4424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\vds.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7530a93bc0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Order-688930021178.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\locator.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Order-688930021178.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4228 set thread context of 4372	4228	Order-688930021178.exe	91
PID 4372 set thread context of 2200	4372	Order-688930021178.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Order-688930021178.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Order-688930021178.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a0365c6d087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cde22bc6d087d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009eb4d2c6d087d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c419e0c7d087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000401934a2d087d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061f332c6d087d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a43a9ec6d087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031756cc3d087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47ce2c7d087d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	87	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe
4372	Order-688930021178.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4372	Order-688930021178.exe
Token: SeAuditPrivilege	752	fxssvc.exe
Token: SeRestorePrivilege	4192	TieringEngineService.exe
Token: SeManageVolumePrivilege	4192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4120	AgentService.exe
Token: SeBackupPrivilege	2896	vssvc.exe
Token: SeRestorePrivilege	2896	vssvc.exe
Token: SeAuditPrivilege	2896	vssvc.exe
Token: SeBackupPrivilege	1440	wbengine.exe
Token: SeRestorePrivilege	1440	wbengine.exe
Token: SeSecurityPrivilege	1440	wbengine.exe
Token: 33	4424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeDebugPrivilege	4372	Order-688930021178.exe
Token: SeDebugPrivilege	4372	Order-688930021178.exe
Token: SeDebugPrivilege	4372	Order-688930021178.exe
Token: SeDebugPrivilege	4372	Order-688930021178.exe
Token: SeDebugPrivilege	4372	Order-688930021178.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4372	Order-688930021178.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4228 wrote to memory of 4372	4228	Order-688930021178.exe	91
PID 4372 wrote to memory of 2200	4372	Order-688930021178.exe	118
PID 4372 wrote to memory of 2200	4372	Order-688930021178.exe	118
PID 4372 wrote to memory of 2200	4372	Order-688930021178.exe	118
PID 4372 wrote to memory of 2200	4372	Order-688930021178.exe	118
PID 4372 wrote to memory of 2200	4372	Order-688930021178.exe	118
PID 4424 wrote to memory of 1500	4424	SearchIndexer.exe	119
PID 4424 wrote to memory of 1500	4424	SearchIndexer.exe	119
PID 4424 wrote to memory of 4664	4424	SearchIndexer.exe	120
PID 4424 wrote to memory of 4664	4424	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
"C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
  "C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5044

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1500
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2b6506a0a8365729f6efec1d3ec25467

SHA1
aac2980f8c9593836bfd07c9f96d5852cd30e7cc

SHA256
72e87e79a9a6ee1caee6fdf3d78adeb6ecb28916f24714f4cacb795b10aeb2de

SHA512
f398ab334068b50fd14109f892f73229317eb99ca7ff38c68cd45c32925f58a98fe3d824fac8784d2469746167aa24f5487a6ddbcff35afc0bdfca7e39e2fe60

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
422d76f25968d1420e47c42dd1ddebbc

SHA1
c914f1b622b50218d8227dfe9429eb0bace0b668

SHA256
2a4d39bc3d6ef798cb6f8f541ba6e6edf1d3963f438b6608132043d885e0a80e

SHA512
c35dd71c7294044f4e24c30e1ab3c3643cd8e2595a8323381df4fc38de085a5f2efb096fadf0178c55cdf846584a2d17003a4c5f3cd25e7ab0b9233b01ebb0ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2fe82d413c1a967de5106f6aad00c7a2

SHA1
b5a190c19063905d20d62120e67c717059ae334b

SHA256
6fe7238195017b316c85f7936ce51dc2a0471398d9cf5817ab45def6aa1ed181

SHA512
4cd0c65c775d772dcfaa46d60a601394e390a66b7e513c9f5b3a71c03e6b42f2b5a0d6f0f2ae2fd949b8e37131aa3e29bb745d5b5cf5c05ace296548e86f4856

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cabf09a10c492cb8217f31be58ac2c3f

SHA1
69e05d854581097c27795ea9505ca3c4eb665867

SHA256
d007553b54baf1c992dea590be7999079acbe3bb87de34964c3a4bf091fee3dc

SHA512
613e6e136ef385b9636a0cc2a2ca2097a3caf2db6996579cb694d382c891c734847661f891508551d4e62f3d866d1e282518ed1f933c95f8dcbe57dcfe92a3ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3ea582fe2f868fa0faa3bd6ee5adbec2

SHA1
f9f8e4d4a7e0729fe66699e4bb06e73609601e08

SHA256
7c08f77598070ad0478f9032671c09f55d7d05b8d6c46798df8d50680c5204c6

SHA512
7ca3f7fb6cb383f36d4b2b2b908c2ca2f52c6abca57beb6432521c67d439abec44ab99c68b2d70d01e7c1a637722f15f453e8cbde3718abcf1f97f3844b1013a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d6673604c59da287f1cd3ec32b17270

SHA1
4a797cce8c19dabc04544741151346b0197be689

SHA256
b36fb21c480fa6e044f1360c948999e3d1069e80e73a742a26adc59fc33c8779

SHA512
8e43cfa44087c80944c829e13b0a3ef68b6d0305c81bcdb27200ddd67eb9b8d9b1068e59047ea3f353bbca10ea811d4254eb8f847eac96b56c16daa2936da92b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c1a73a766e16e3b572bc9a461a5fbe18

SHA1
a7fb505577249c8b7f4ada3ce688c9e61640830c

SHA256
8e09b597f38dd1e360427c0bebee3d75ac4c96c427015f9cda52eb9f2a65f652

SHA512
69f46e302348cfe5f6ded3013c274a1aab91fdaa0f8cc5acb08d12392ca792bdcf9540268473f798c305c7dd809528f3e9fd2898275b2d044178985292af16d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
81266f39fcacfd60bf7c4a4af48037cd

SHA1
1319b6ce493b736eb9f2e19f0b313124f5a1d427

SHA256
4bd39101c391ce0a534eb2c3aa023d5d148421dc8bf8c591186634a1042f0ec6

SHA512
5e091cb9631d333c35d52410e66eb6b23e24e3b36662c215eb1c844c824f6d43798a20dd1c5d35b64a8267c20f431df6f53ad376b2689a7dc00c23727f896796

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c620256c8c1c58b5ccc914387cb137d3

SHA1
9030599e9abe3641a4ffe09bfd23b27282fc37d1

SHA256
5e47d00b00d9f449dc96357c36354c7adadf18cac7caf44c2b09f8ebf65cbd42

SHA512
4455d9f5c21dce4d485da37664cbde0a5ddcca38ceedff4bc23f79e480c10c9dae406c62600847f8d6ccff7e07f56ca06577e6d23558eadc9a09aceed61b2d77

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
84fd21d0a1fd2f2f809d53d2db7880df

SHA1
afddf2b51f7befb71268cc04e1b448948e1165f2

SHA256
1e193d08a7950178329ca0a9cc153b393ef64daf87573e411fc4ac6142e1ba7f

SHA512
efe3b9068510bae5fc5a5ec4544431290bc8841c5910e7967dd369bb218566210bf43b56758778dc18df9174533767661148c68317255f6e0ac8c3632f92d9ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
84fd21d0a1fd2f2f809d53d2db7880df

SHA1
afddf2b51f7befb71268cc04e1b448948e1165f2

SHA256
1e193d08a7950178329ca0a9cc153b393ef64daf87573e411fc4ac6142e1ba7f

SHA512
efe3b9068510bae5fc5a5ec4544431290bc8841c5910e7967dd369bb218566210bf43b56758778dc18df9174533767661148c68317255f6e0ac8c3632f92d9ca

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2d125bd4738cc542d8da5fbb3c34b166

SHA1
4b43ef72dc2682501ae5953d4407515add843dcd

SHA256
ab4013ea6301bfe18b13fb2c6d59b2b21a203777bb743dd1ab5bbe231c1007f2

SHA512
370549b61563616fb53ceb59ac09852af4ae8d2cce532dea2cc3899bc6d54f49df7202df4906fd1a4ced3f3ae0eb98ed06ed6b8a6181244626dd675fbd1aa639

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
607d8ee801c7983caa0b68d7d4bb9c45

SHA1
0c97a2ec79a9f2da98ae20920f84410a6de4f454

SHA256
d151146a842b230af672f51b87c7c48ff2b1d23a3f06d5167d40aae7c2c8a060

SHA512
94c67c182d86027c051827040ead462f4da7a1d46af95e8935c5e2d00b8335c76375e637697afd29c4c1044cfc4016b5962e1a6c8d5c36673b0ef641f6e770fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
60eb0263342bad442bdf986d0a26c639

SHA1
48fc963ab16c9786d528f8d6848149e154d58113

SHA256
1fde861e1a3c0c7a691eac49d6a48ba7e14232be8eb6ed60cfe0d0a0187c8d5d

SHA512
41757a49ac64b41a1a3ad1ed4153a0f9c3dcff70139a19dc32168bf73c9e57fbec2e9c3364b116368a115f012872dcb88b3ffb8b7cd429af7c23caaa4e14372c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a5c03e832a0be2c5e3d15ef37f065385

SHA1
a36a61721f60af4cc3935af92fd33bbe4ca17301

SHA256
cbbe2aef793bcacced6babf2138a2827a7cf03799b7503193c90c5ad877ca3cc

SHA512
906f1a87c9db6d61198db21bead74ed7c1aee6fe44399f004392f37918ffb38fe3d98beb58a0afd0ce856a91e4c665aa67d9e1c23521192617fb824b0ca13b6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
71f7e0c7fcfb92db546edd0b2b517823

SHA1
605a6ee2cbaf698c8cade5aa10fc619d21a4ce0e

SHA256
a21b0bc964f090c5fd1b14cd05efa947223f0813a8708dccc1ecccb6fc417dee

SHA512
fb89f36bd1111554549c0c74e1bf2b3b46f05efd433257b68225ac1eca2663e87c17889b1dd5698be7ec3a96eb0bf4af0ae5d8196179f4f22d8d3c169066e562

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9ac06a0f72f468184cf74e08c3674534

SHA1
13fe9d4c2c1d4eab9d05855864c84daceec78207

SHA256
f6c05d4f81d98846bbb30357d057e739a0f87d9fb5c7b6cedd082c91590d8bfd

SHA512
977dfd9413e3101296a76b74f15883da5383eb05457ed468dbd24b4b55228e9d673c1b8bbd37c9679e4e53acdf5d1a5ab74ecf7f24de0f6d74810e2c86559729

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4ad44ea237054eee966f66d3b98f15e7

SHA1
450923d7321ac59fcbe631f6f3d0c0358f255b0c

SHA256
4f49cd43a1375fa20a08a098420747baadc190042c4746f8ba5603e0dd658be4

SHA512
7f2bef393950348bde451f075330a010cfb160b23a024bda1f63a53288f5f9b03c66b572d828ab87fbba16a3679d92a4e88123ec4f853d17f448959c8eaa9aa1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5352f18c8787eef494b81236f0d65d91

SHA1
9ca90dffcdaacaaca2857ad993cef43b9ce4e9c5

SHA256
ad160cd31cead132c18234952f2cdd446d8bbe85ca5fb21797bd41ad42307433

SHA512
c4de302239698a34dd93a3003fe1f67d3f39dc8a02ca2ed474cf8100034a4fff4529621e9c1e6249f9ba243fed64fa93131a9176b463fbddc3eb1f6ee7c4a9ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
61ed98fe9478afd8c7baca13497d4f3e

SHA1
3ac5a754c739d4a51c0ab1228301cf4de2117ff4

SHA256
c6c0a51748db8d61e0be2cada68182079ae47683138f2d70ef85677ca06f8ce4

SHA512
d99cfe7e65d01431be0cc81f5f974f0bba0c596cdcdd3485c0d05c481a08b8f5e58a01fa298c9a643243aa6e47ae2a85201ef97826bfaae6a190148466bece28

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b916c831415b514b304ac677ed91a72

SHA1
f8f5c540a835939f4c9cd12090eab421fbd5501f

SHA256
33440faf869597f39516663afa1e197e15fb3167047491b5022b20d382c912e2

SHA512
fb784187738119648d9e1950f50f87d21490978faaafa95d100e425304ad34df0119f55f1d6e1fc606da650a57f85804580f3da01814901749726095f5b605ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8173e265b58d52e01d6da16bb7676eab

SHA1
2581b5e079d5ec31d4e3cd0b7c6a69af5f188a2f

SHA256
e624460cfc98be3d6d7236a7da59ca68cc999dde9196749b677d88146922052d

SHA512
2049577099d00acd6f7689c0223666bed873095cf491a355d3fe9de86b92e0a8915bdbae4eeecc46ad396290357e5b040352c48d1c4fec4dc8c394db5a117c86

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b9952d33135e3f4af9d0fafe418d9359

SHA1
63ca3d95dc37ba9f45bda822d0686e60aaf7c69f

SHA256
b96d5fedba69c627389516299bb1a2e0c234dbd67a3c82a000199376d2ae96de

SHA512
0603dfc64af14f8ba09d66ea82da8c3de453c5eddef0641a27127b768e07f682d16721784644bae129e786b5b0fc84ba8cb8da7124ac609b60540b3e47f51d2f

Download Submit
memory/460-285-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/748-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/748-470-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/752-187-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/752-181-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/752-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/752-201-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/752-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1036-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1036-191-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1036-199-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1036-403-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1132-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1132-220-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-416-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1140-216-0x0000000001A00000-0x0000000001A60000-memory.dmp

Filesize
384KB

Download
memory/1140-222-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1140-224-0x0000000001A00000-0x0000000001A60000-memory.dmp

Filesize
384KB

Download
memory/1140-228-0x0000000001A00000-0x0000000001A60000-memory.dmp

Filesize
384KB

Download
memory/1140-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1404-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1404-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1440-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1568-603-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1568-406-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2200-490-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/2776-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2776-381-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2776-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2776-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/2896-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2896-588-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3024-232-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3024-438-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3024-240-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3324-164-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3324-156-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3324-361-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3324-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3492-587-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3492-364-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3496-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3524-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3524-520-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4120-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4192-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4192-584-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4228-134-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/4228-136-0x0000000004C40000-0x0000000004C4A000-memory.dmp

Filesize
40KB

Download
memory/4228-139-0x00000000068D0000-0x000000000696C000-memory.dmp

Filesize
624KB

Download
memory/4228-137-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4228-135-0x0000000004B90000-0x0000000004C22000-memory.dmp

Filesize
584KB

Download
memory/4228-138-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4228-133-0x0000000000090000-0x00000000001FC000-memory.dmp

Filesize
1.4MB

Download
memory/4372-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4372-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4372-149-0x0000000003540000-0x00000000035A6000-memory.dmp

Filesize
408KB

Download
memory/4372-144-0x0000000003540000-0x00000000035A6000-memory.dmp

Filesize
408KB

Download
memory/4372-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4424-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4664-693-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-695-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-769-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-768-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-767-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-657-0x000002855E450000-0x000002855E460000-memory.dmp

Filesize
64KB

Download
memory/4664-658-0x000002855E460000-0x000002855E461000-memory.dmp

Filesize
4KB

Download
memory/4664-691-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-692-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-765-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-694-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-766-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-712-0x000002855E590000-0x000002855E592000-memory.dmp

Filesize
8KB

Download
memory/4664-762-0x000002855E460000-0x000002855E461000-memory.dmp

Filesize
4KB

Download
memory/4664-763-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4664-764-0x000002855E590000-0x000002855E5A0000-memory.dmp

Filesize
64KB

Download
memory/4692-304-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4692-550-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4840-343-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5044-551-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5044-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download