blustealer | 12e44eb4bc1b8ddd19bb13f6794cfed8721e58ac3065d04c2ccb6a8a3ed30f49

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-688930021178.exe
Size

1.4MB
MD5

539273fcc95bb7f4c80a9f2f606d74ec
SHA1

48e3f1b32bd1ea099bdfea58e00c25202a99633c
SHA256

12e44eb4bc1b8ddd19bb13f6794cfed8721e58ac3065d04c2ccb6a8a3ed30f49
SHA512

0994942133fc9dbbe7cbe2f21fe5dfc427508e3985ca8537b2b25104073e38040d7e632e4df0a7d285ef61893a3846123fa60179104d64dbd4cf22968ca99a6f
SSDEEP

24576:UhtPtftOfNmMvnYJJeT9zZm2ifn9fvt6quQyFyyHC2bP6nD:EtPVtymM/eeTFZm28xtxZabP6nD

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
2200	alg.exe
4756	DiagnosticsHub.StandardCollector.Service.exe
1228	fxssvc.exe
4668	elevation_service.exe
3400	elevation_service.exe
1596	maintenanceservice.exe
3668	msdtc.exe
5068	OSE.EXE
1940	PerceptionSimulationService.exe
1136	perfhost.exe
4368	locator.exe
232	SensorDataService.exe
1320	snmptrap.exe
4968	spectrum.exe
5104	ssh-agent.exe
4592	TieringEngineService.exe
3864	AgentService.exe
376	vds.exe
3220	vssvc.exe
428	wbengine.exe
4164	WmiApSrv.exe
3716	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\locator.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\alg.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\vds.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1dda5306c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Order-688930021178.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Order-688930021178.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Order-688930021178.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 3936	4644	Order-688930021178.exe	92
PID 3936 set thread context of 616	3936	Order-688930021178.exe	119

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Order-688930021178.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Order-688930021178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Order-688930021178.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Order-688930021178.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f53ebe409f88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020bfe01c9f88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9498b419f88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000123fa3d9f88d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000109215429f88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027d637419f88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064dabb409f88d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4644	Order-688930021178.exe
4644	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe
3936	Order-688930021178.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	Order-688930021178.exe
Token: SeTakeOwnershipPrivilege	3936	Order-688930021178.exe
Token: SeAuditPrivilege	1228	fxssvc.exe
Token: SeRestorePrivilege	4592	TieringEngineService.exe
Token: SeManageVolumePrivilege	4592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3864	AgentService.exe
Token: SeBackupPrivilege	3220	vssvc.exe
Token: SeRestorePrivilege	3220	vssvc.exe
Token: SeAuditPrivilege	3220	vssvc.exe
Token: SeBackupPrivilege	428	wbengine.exe
Token: SeRestorePrivilege	428	wbengine.exe
Token: SeSecurityPrivilege	428	wbengine.exe
Token: 33	3716	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeDebugPrivilege	3936	Order-688930021178.exe
Token: SeDebugPrivilege	3936	Order-688930021178.exe
Token: SeDebugPrivilege	3936	Order-688930021178.exe
Token: SeDebugPrivilege	3936	Order-688930021178.exe
Token: SeDebugPrivilege	3936	Order-688930021178.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3936	Order-688930021178.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4796	4644	Order-688930021178.exe	91
PID 4644 wrote to memory of 4796	4644	Order-688930021178.exe	91
PID 4644 wrote to memory of 4796	4644	Order-688930021178.exe	91
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 4644 wrote to memory of 3936	4644	Order-688930021178.exe	92
PID 3936 wrote to memory of 616	3936	Order-688930021178.exe	119
PID 3936 wrote to memory of 616	3936	Order-688930021178.exe	119
PID 3936 wrote to memory of 616	3936	Order-688930021178.exe	119
PID 3936 wrote to memory of 616	3936	Order-688930021178.exe	119
PID 3936 wrote to memory of 616	3936	Order-688930021178.exe	119
PID 3716 wrote to memory of 180	3716	SearchIndexer.exe	120
PID 3716 wrote to memory of 180	3716	SearchIndexer.exe	120
PID 3716 wrote to memory of 4172	3716	SearchIndexer.exe	121
PID 3716 wrote to memory of 4172	3716	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
"C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
  "C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe
  "C:\Users\Admin\AppData\Local\Temp\Order-688930021178.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2124

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:180
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
825198bec33d3454ba7fdc68d92fde8a

SHA1
25c978b7c19d5d8782288e0b5478c6d4c0dcbabc

SHA256
239cc9e1392678e230a49514ea60bad41da3189d8cdf3cdd346df04cfa969a1c

SHA512
35f096637415886d9ebb9da0269faa224605e8e2950af4d6cac484954ecb5e8c433e1b547acec96bd18772fe536c7c12a349a6d50b71c99952df8d8034cce0ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
602ff2bb6db92bd63a8e1f2608ad15ec

SHA1
c08dbd511938df231e78843fc6d399df44463399

SHA256
ba60a906f44883f076bc25350d5d9c6887a24f2593168b55d68df69e406eec6c

SHA512
accbc9e7de2a50ccf4b67635785ccb30aa076bcc9a1505a02ef127c5d88cd977083482e49b6f733eb5363d5544aeed7d8d5ecf4973bd2ff81b9a1e341cc1b8b7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7b9c5c73c096c31180b8a9b2954d77f8

SHA1
7880b1731bbf634f6a3a0d5b777e192310cfbca3

SHA256
66c2d24aab3857d361ca113977957304838beaf7966527163fda8cfc4c22453e

SHA512
8b50c6c507e28bedd96b4d0b5155806198a867f8df4b6a1698ab351600e83c7c125f51b008b9846aaae2dc68c831d1018fa39d1650bccaa5ffef6910f84e4142

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
49bbcd8ed06842c426298957ed7e7d7f

SHA1
910fcedf1da091fd70f5ae902fe46ec66a70b25e

SHA256
9128cc5b3d73614c5236ee7eaaf540e972987e35b72b9468f8e470c3d9b03b49

SHA512
0a2c5c32ce00dd37a5def77f60bc39d998ea7f01bfea8559ad85709273303bbb91970b073985b1d40026bfedb89fbdb3b657a710df9ab985dd6a6af98098a386

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
09564145836b3561d4b4513c9e60967a

SHA1
515cafe345ddf862855036c78147bf73f8ee2866

SHA256
4bf18962e6c5ca296793c2efe65300c0ab1864e0f079b579fd34bfd1a5205f09

SHA512
19cbce492b11188797ca7ad68f9eb91199a2764668f68a92fb8d17a61713583e8738e2c75b56bea0f724f9710c23e0941516371660a1d5141005cf1ebf3f83b7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
954e8d3e00eb667e03e6f709bd95888a

SHA1
5e1f31bedc474dec6fa34e2d4da0fae745a14ebd

SHA256
97ccaa65cae4ffc29c8bb5d562a8c9b3df6f0d5c2fe72f820eeb803a35e11a26

SHA512
77f2c5b9fcd620625e3cd0e7cf2789620f39b005551e8212c31611c1bfd56a7d93a767fda09bcc34d049249a7e2374dcfdde6ac4979ebb191fb4515b11dcf72e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ae5bd01712487424a40f3301db180093

SHA1
c8fbbf1b68826a55e294c5a7d1814bf2b484d423

SHA256
bc7dda4785fd21fd838ca510146ce2b2c44fb093cc9d00914f109c51f7315f56

SHA512
fdd3b4c6aaaa62dc783593dcbc9190998c74782226ae174d308e5b325f4f706bc812c3e8d07eb59453e821f1a7806f5d91f6248401894b849b86866fb0c5730d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30342d5f276e8b73d55754b2b0190dbe

SHA1
8842daf88b0ac000c2993e32d8ab967413ca4d51

SHA256
029c1e3c46aa787d83107969baf089fa433f26346255c42cf444fbbe8d483914

SHA512
c1ca70bdc8c1626321863b0ba9377cd9a1375bed10cbc358d081db76ff7613d2b9940177d3aa0b7a98a766fe005ae9f5534a1eab38f1475f56d2ac56a67be583

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
92d5d1ebe531856827a55622b2b42a40

SHA1
60427e95f8d93963c1d8a606b911f8c7b33574a7

SHA256
63a6254c27b4e3c46cc31dc9fac9e192c0f837cb94b72239788d838960baaac7

SHA512
57142aae08cf209fb9ed0179d447e3cd3c875948a9cec7212f9ac23f2ac3a72ef55a7ef9de26b27ef6ff9e0f0e56c919c8673906a57066e32c34a9d6a63713d1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f556d11b1bbd0725ef0fe133b84b8b66

SHA1
b1fdaec8d3cc28512b38a94400b54bf69a265bd6

SHA256
ef64480535293358e91f77f1fcb9cbf34e76f6a5167bd44ebf0b061ec4843d29

SHA512
94596ac4e64c5fe698182a9b66b8350be58e2a7f82d85537b488c5515c347aaf78188b90d25370325125167447f8471d31db0d1cafaebafd2bc47b450bec1936

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f556d11b1bbd0725ef0fe133b84b8b66

SHA1
b1fdaec8d3cc28512b38a94400b54bf69a265bd6

SHA256
ef64480535293358e91f77f1fcb9cbf34e76f6a5167bd44ebf0b061ec4843d29

SHA512
94596ac4e64c5fe698182a9b66b8350be58e2a7f82d85537b488c5515c347aaf78188b90d25370325125167447f8471d31db0d1cafaebafd2bc47b450bec1936

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0f1fc07b163eb28b1a63f8a2d24c03d0

SHA1
9a271bdd5d6653bcc302eac8676cbc9fc544bbd3

SHA256
802672f1a9aa2f7943e93ca0c3dee919eb958dcd612a48bbbe42c18baa3a1caf

SHA512
9711fb93e1347997d014c88541966ce804e8f127725ccd8b17c0c34eb115fe26c43f74bc97407e546c9d9e48f3fe671c6593d4276ce8e2d6cd1c3263b00a17a6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5e30a0d9201f93af384ba167b39f02b9

SHA1
e0728cdb4ab47470dc08e83f227c233efeafe4b9

SHA256
52a1dbb3c8febb32165c607507f29c7143fb136d435cba557d50457c01d04ba2

SHA512
db7f46b02251f0162a39fa0ebb7bae8c6a65b5212366c3467f898cb2c50be237f5f44ce791dbcc5adc66ac451ce4b0fd135db53f1b84441a9d6ab2ac483efd68

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3e208beeb1b8033060b9272f977ca434

SHA1
70183b9111b849e2b87f239043e9b067eea5db43

SHA256
e45b9e84bdb71b326c11fa063e1a06173923144c5b7c358db99d937b9d3df779

SHA512
35edf6b54147907883f83ad39f0b724dbd3b0fd20bb899989c33d44f08ace851c4fb4ceba409840aeb2a06dccec5acd54de7c21156e5d7a57343123c4f831f4b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
58c6771c6ada1e68dad74481011f9af3

SHA1
ae58a74be7f2048d386c77e1a7fd419015e7cc04

SHA256
31e08fd8cda010e3ff0886c00f003081de32594cb0d94d459505e053eb5d1ad5

SHA512
683200349eafad9ec632cf6af8b8645215138e7deb1cf3eac9b0a4b76438e3336acaf1a5b68389cfa1153d40047f5dc83397628685928593ed90593fd9094133

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ca3c159764c733c2ae415d34425a5170

SHA1
baab395204e90821e13bc3d04d510749aed8464c

SHA256
0fb4f0df6561c221cd86cc2fa042c141e66867f9945f3f9d6a3f340162c14b07

SHA512
4252384d3eb3bd88bf90b68f8276c311dc573dda964ca52951131f3f61c40be350d84bd979ad3f14bb5c3423467bda153f5a7d4d023022111ccc443d598ffc0f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
643f26a9fa9f8f509b94f9cf652bcea6

SHA1
5f5c7d2acbfd7b2a231f1258b187e9c93d6ea2bb

SHA256
9edfa574c95750334d30427e1d2ae8e105d8d19cb8e8893f68e6162f46c5bfc0

SHA512
0c7a51078282357dade34b58dec537dcf5452d26edee60fba9761cbdad836cb12f08ccb271425569a110f03e5d71c93a3a839a40740b02f80142219328348b4b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7453bae7df09e58bf2b603af5c514656

SHA1
8600143c297bc3defc70b461187e696d4b626ed1

SHA256
d332d87f8fe69ff0b6f23384cd9514225a4b13b739e61335e363a3024c2f88ba

SHA512
75ecdf1bc426847384a559a672cdcc2faae3cae9267259be189c895358fa8140b9b7dfeac8d2bfe8daa74734474e96164f3e2657d217f15c30e67fe363d71fbb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b62411463457db0841cb3d93485da184

SHA1
c6f0349255042132e9032c5c6b21818d6fdf4d00

SHA256
26759a523f76980d13b512f10d362f39431ace3799b111da73593a7db7a925ac

SHA512
43cb32f61e1f39f4c584f4313720ad156269ceec432c1a11f8310eb2ba05cecffb7d114472dec7bef9111aa93036f19d49182263df61b6b10fa1c0b95b14a604

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
66b3b21b6071d416db8002623132f6b7

SHA1
4d477cf0e091b2a1400127b3833e6bd821a88b6a

SHA256
5bc8178b59d2eef646316eb5175c6eadcdeecdaa8751f9b6b12204f44606fbbe

SHA512
c7d83bb10d9f62e93c11ce54f000c4ea057991185af816b1f2c02cecb8e796900806d81b939c8cec5770dd6eff92848b0c2bd691f7e63a77fb818dcc08af0c4d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
931fd5dd7ef20024e4b13212dd226e66

SHA1
bb042c3764c48cb5e5baacf37fe47c05d2d52c66

SHA256
63872cbe11c4e06da686c1b4791c711198c8c13763f46fc7fd31349d7850b43c

SHA512
3e721cab3e6b510bae08bfa81d956ae3ac6b455cdb4a43b1aad2ba81f5860057d9b4b16ec9b646dc1c7f9c891f429c87945f19615350e41eec91c2bbef00651c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f60b6f54453a1a20a35a1a742157bf8e

SHA1
79d600c06288533b53269206f914c9a65be70ee8

SHA256
a3901a4b088777eac1eda74b9d27772b6c1af450afa829cd096e5482f180d978

SHA512
a7c8555cf5caa47298e39ce559bd31785770cc39443aa7c3349ade708ad08d08a8e8046837fdfc8c257c82f962a1e5fb2307547df9adbc39f3e5d51acaeabf82

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8905617185ae45bddd582a75603b8904

SHA1
95203d79fa04ef46832e2f01f18187d5b16f197e

SHA256
aab51b060bd35ec87e707f50bdc4f69fe8322d002c9037869396dbe94d746ddd

SHA512
dbccf89122c2f5be613312bac014bd8594ffe8e141c2c4af432e1944185d525a44addb07a0ab8c67e4ee588ac5fa4ff85d6870d449f58cde07b47326b1abe8fd

Download Submit
memory/232-469-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/232-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/376-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/376-595-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/428-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/616-487-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/1136-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1228-182-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1228-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1228-198-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1228-181-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1228-188-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1320-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1596-216-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download
memory/1596-219-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1596-224-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download
memory/1596-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1596-227-0x00000000019F0000-0x0000000001A50000-memory.dmp

Filesize
384KB

Download
memory/1940-463-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1940-262-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2200-356-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2200-157-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2200-163-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2200-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3220-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3220-374-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3400-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3400-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3400-414-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3400-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3668-232-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3668-432-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3668-238-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3716-415-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3716-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3864-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3936-150-0x0000000003450000-0x00000000034B6000-memory.dmp

Filesize
408KB

Download
memory/3936-144-0x0000000003450000-0x00000000034B6000-memory.dmp

Filesize
408KB

Download
memory/3936-334-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3936-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3936-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3936-148-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4164-412-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4164-601-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4172-673-0x000001E71BCB0000-0x000001E71BCB1000-memory.dmp

Filesize
4KB

Download
memory/4172-706-0x000001E71BCD0000-0x000001E71BCE0000-memory.dmp

Filesize
64KB

Download
memory/4172-753-0x000001E71BCC0000-0x000001E71BCF1000-memory.dmp

Filesize
196KB

Download
memory/4172-672-0x000001E71BCB0000-0x000001E71BCC0000-memory.dmp

Filesize
64KB

Download
memory/4172-671-0x000001E71BCA0000-0x000001E71BCB0000-memory.dmp

Filesize
64KB

Download
memory/4172-789-0x000001E71BCB0000-0x000001E71BCC0000-memory.dmp

Filesize
64KB

Download
memory/4368-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4368-515-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4592-355-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4644-134-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4644-139-0x0000000007270000-0x000000000730C000-memory.dmp

Filesize
624KB

Download
memory/4644-133-0x0000000000630000-0x00000000007A4000-memory.dmp

Filesize
1.5MB

Download
memory/4644-138-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4644-136-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4644-135-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/4644-137-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4668-200-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4668-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4668-393-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4668-192-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4756-180-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4756-176-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4756-170-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4968-563-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4968-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5068-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5104-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download