blustealer | b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent-Order.exe
Size

1.4MB
MD5

1dab5e05ac3651db47b6f881dab8dd3e
SHA1

66c37ab30dc83b3519815b2406cc6dd332e4d91b
SHA256

b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523
SHA512

dd31a50b54385b3c1917e6eb17e7970c2fd97ec481c297865d7f37c7f2ea137ed8b60a131e7de5a7eee2278f5d26951c9da0be4e2babb00582993fb1cf8b4472
SSDEEP

24576:t9j0kMtM5Gcc59B40fuI3At9NzS1f8iGiEKjOWVQbHnERMJaICUQqi+4P8mHMC9i:7MOqu0fpAt9NzAEi7XxsERNB5PRsYo

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
768	alg.exe
1172	DiagnosticsHub.StandardCollector.Service.exe
2748	fxssvc.exe
4440	elevation_service.exe
4740	elevation_service.exe
1684	maintenanceservice.exe
4496	msdtc.exe
3884	OSE.EXE
1752	PerceptionSimulationService.exe
3816	perfhost.exe
2488	locator.exe
4100	SensorDataService.exe
2408	snmptrap.exe
1220	spectrum.exe
2284	ssh-agent.exe
500	TieringEngineService.exe
4848	AgentService.exe
2304	vds.exe
3992	vssvc.exe
2320	wbengine.exe
3420	WmiApSrv.exe
64	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5bae04c8c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Urgent-Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Urgent-Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Urgent-Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Urgent-Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 4184	1964	Urgent-Order.exe	91
PID 4184 set thread context of 1268	4184	Urgent-Order.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Urgent-Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Urgent-Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Urgent-Order.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Urgent-Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fe37b88d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffbdea84d589d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7437e88d589d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000587d9888d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004abbb288d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a401b64d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000beed2989d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042f1eb88d589d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe
4184	Urgent-Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4184	Urgent-Order.exe
Token: SeAuditPrivilege	2748	fxssvc.exe
Token: SeRestorePrivilege	500	TieringEngineService.exe
Token: SeManageVolumePrivilege	500	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4848	AgentService.exe
Token: SeBackupPrivilege	3992	vssvc.exe
Token: SeRestorePrivilege	3992	vssvc.exe
Token: SeAuditPrivilege	3992	vssvc.exe
Token: SeBackupPrivilege	2320	wbengine.exe
Token: SeRestorePrivilege	2320	wbengine.exe
Token: SeSecurityPrivilege	2320	wbengine.exe
Token: 33	64	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	64	SearchIndexer.exe
Token: SeDebugPrivilege	4184	Urgent-Order.exe
Token: SeDebugPrivilege	4184	Urgent-Order.exe
Token: SeDebugPrivilege	4184	Urgent-Order.exe
Token: SeDebugPrivilege	4184	Urgent-Order.exe
Token: SeDebugPrivilege	4184	Urgent-Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4184	Urgent-Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 1964 wrote to memory of 4184	1964	Urgent-Order.exe	91
PID 4184 wrote to memory of 1268	4184	Urgent-Order.exe	118
PID 4184 wrote to memory of 1268	4184	Urgent-Order.exe	118
PID 4184 wrote to memory of 1268	4184	Urgent-Order.exe	118
PID 4184 wrote to memory of 1268	4184	Urgent-Order.exe	118
PID 4184 wrote to memory of 1268	4184	Urgent-Order.exe	118
PID 64 wrote to memory of 3360	64	SearchIndexer.exe	119
PID 64 wrote to memory of 3360	64	SearchIndexer.exe	119
PID 64 wrote to memory of 4624	64	SearchIndexer.exe	120
PID 64 wrote to memory of 4624	64	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Urgent-Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1576972ad714be1fd6fb468ff91cc4e1

SHA1
ef6d7c5a2eb7ae0191272e00c59c823a288f7727

SHA256
f53e435c6fe25be2afc843f4afbc06145a3377716609095b7aae3ff060941283

SHA512
1e55c2273dbcf3407449e061afc6022e0f20f0cf0860e277885485ee07c4e37b276e956ff4789c4abf93ba779d36a440bd02d3eb55e4c0d00c3e4d90d0ed15c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
21dbfea2d1dc8d958dc711e360536da0

SHA1
e1eaa5bd58e1327dd84b4c6a2015cd5e1c164de7

SHA256
39147addb45f1cb9fa9240fcc0e04a9469be7f4898c2c19cdcf9bff90abe253b

SHA512
3142395df98ff650c77a6928dcfdadd20148b17ee5e7563f465d9329127eb1d6f3b3491377df2a2e4a268b234e143467ff407e393b3dd6114d43c179271c3d27

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
db9b57163942dd3f390e3ace76db076e

SHA1
df7781403031386bdf59db3b11c051e5bf167f02

SHA256
1595d983eb47a71dc4d5e1abbecd5d0537bdc52b229350169b0f06b40b975108

SHA512
12e40069e5eab62a4522542efd89147421e54d8c0d55628563dff9033b3243a99b51fad8cb80b344c8b543c8794ab94768f2dd6864849c49f318eb84b445eb62

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8233c1f838784e6c6a605be20b22000f

SHA1
435bd38f375da70f424e0d7ea013a64f4bfff7b5

SHA256
10b85fb4939b7a656849aa30229277bbc342b3c8c541b2f719a5dce8d53a7a92

SHA512
e7cb9aa3e399911be3a09e9970ad8decc0c412a665e0040fe994a0c0ccb6b540280e97079bd841bd24e83775da1c1e951e42dcc854ccde73768bae3cd02aa8d5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
13d7bae297962a0258d29c3827e1aff0

SHA1
45481bfa4b334eed14d21387210e062bfc97c4ae

SHA256
69ab6b04b40fa09655d6bf504a5a66e7dda39d62dfa52236d30a0996927cb065

SHA512
0bda0dca5a5689a665312a3024cdeefbf8a5769758de09ff4d9f7fcd50b75062ef770a1492777c36ac14ff03655894eab89ae01bbd52bf7bbf0228c9210f7cb6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
592fd73e9ee4eca5838d91debcf4f2bf

SHA1
844d9abc4314f691a7297303fd2557e0b69da039

SHA256
6927757a0e210925ef25bf24f88a38fa7b8054e6c16f56980f594086ede043e7

SHA512
ef03e5354b70f8644a97a245b682aee1ef81fefead15008afeb6f0cc14681ea402c45cc80f7d67d7474bc0bf5bd05163bbb73d3d06397049df43d7dc6e7e5819

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c269709fdc26298aab40de8b4ecac906

SHA1
195b8809a284be6cef39ab24ac6b994d2fa54946

SHA256
cd0885eafe656361eb25e98ae050f81da0a1334b510ab36800bae2379247fc98

SHA512
23e5c0651f033a120300a8be9c7c701add1a612554b9aa567a9c06b11a4fc74d7647e5197f7f04210a8b286672de28635ebeab379b386819da0a53e2d9e4dbd1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3b2621b0bc61634a1391a9d82659fd3a

SHA1
0ca7f167a4ccf2925fa99d37cd06984efb12dcae

SHA256
c2597dd71e579b3598212e68148e7abc13c160fd46d21e379736f4768cb8cf36

SHA512
afa33699e2e92d346d3863e2d67b430a5d65950bee3b40323bca7aa21cc994af20d72d3abe1a8e8ee42aa6e815e596f6ca5817bd6b4c39d41f7faa1335899045

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7f733cfb64273df8b8ab2cd1f512e585

SHA1
3bb60081c41347ac1b13bde49b571aca5ab4797a

SHA256
cd5b4cd1bfa679d1640471a35f872597fb91c490b34cde0f8580a09791f013e4

SHA512
46e47c09719d46562fee1a1884dc0ebd75cc95dfa77e30356099dda63a303d26819879e0a4f987c4f46561940f5cf03e185072cb9c7fa3c9475f1934906be0ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ce6d86d847b48223666e7d04d096d77e

SHA1
7a54bfeff9c121674704660472ef79e1c9af158c

SHA256
7feba68d710152888ad463cb260c5393c2c21ad6645a3cd9e542b21916da1983

SHA512
ddfc04a1d52ad1efe1d7f6f75f84c9b4944b341298f4a27a1bacdf1fbe920ce1e1b4f6e10c85535a8bd452512de7bf34d93bf2326e9dda91972c7be10a04d1b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ce6d86d847b48223666e7d04d096d77e

SHA1
7a54bfeff9c121674704660472ef79e1c9af158c

SHA256
7feba68d710152888ad463cb260c5393c2c21ad6645a3cd9e542b21916da1983

SHA512
ddfc04a1d52ad1efe1d7f6f75f84c9b4944b341298f4a27a1bacdf1fbe920ce1e1b4f6e10c85535a8bd452512de7bf34d93bf2326e9dda91972c7be10a04d1b7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e44789eb7b25f9690ab4f9afdbd23569

SHA1
e7bb51fbe34d483781c8b58fdd523f9fbd470bfa

SHA256
11544359f33359c5a1bc0407908184345ccb39819ecaefca421e95394e5e57b3

SHA512
26a6de59321959133f918f4d8afca06b51cf9f57e54e772f71c3e55e024caa29a5667f3ca33d3c7e4c67c7e74f1e0ed9148f19565a91128f81f59d1315216cda

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fffe51bb69f975b6be113b74320ef60e

SHA1
ca297999877d27580327a5aad15923ffda91052f

SHA256
f9d70d6dec709592878cb401f2c7e5d745eea09589fbd6f44b10e78fd7913117

SHA512
c16c4071df8a480c859d97f6317745a21e23c128f52136609193f6b0c365cc68a468c1de8fa0938cf4a08748b2e39cc9a499f7535b0f3d4b7e5943a08fe4da26

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4db30445974ced188439a9652537a73f

SHA1
dc89f005c64fba60fcce03dd707b98fbfdeb908c

SHA256
d07dca6bfe7313a7a46a01b47f8668f3fd568afd91702762c68573b121971998

SHA512
2a592baafd266354b8dd696958e0f40283d1633867a8dcad358fba8188727985f7adeb1478ae54cf9537dada9e75cda58adb57cffa851de1ca4b6e8410d31864

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b719de5e1de96ba88ddd426ffcb82129

SHA1
70094a04e53698678ce7023b6b2d2bfe5a2b646c

SHA256
72a502d61887b2a82a8d57761e110fd400a2d65a5fc276f2f00b1eb60e55cce6

SHA512
aab9c65a2c1efeafe1cc229dffd23da9081db6237e403f5d923691e4ab177996dc4571e632ed82b066c42481bff845b868db4d152b092bf9b43ebe1eb055c894

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5fb61ffeb46a47f8a9025a43e9469581

SHA1
a173cee45e7aff1fdcc1251c1ab218bdd78be01d

SHA256
eccbd7770b4bc39e5356a21379b35e0ffab14eae766f64d919a46604b8e7322c

SHA512
612028e127c9b9f5097ed45be42f08f39ea93c963b11f450e7718d88c61fcbbd84b12acc7e0b22b4576e0c7cca6e6f751579004d17c714c4c91703c6b7682c1d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0d1a418c5b3515b11dc92400dcf12b8e

SHA1
34fefcde0945953a8257feb95789be9dc291bcc9

SHA256
3b9811ac3333e80569cedde7a454d8cba6046945d7288d2975ea9851391f59e7

SHA512
815ebb3a7dbd42d643f3c70e2e39f930cf42fee456017fa730f6592254d00a10023091d547e3f5dc0b64d841e16d5e9cee26ff1403393374237451aed68e2e57

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4f3f779a00c11670ed4f530aec84543d

SHA1
a4e6b365df7d3b45d0cf354636f7e0945f53df0a

SHA256
3581fabeb1131548432b35981d976a83d99fc9b288e6ea17073a6c8b55e5e5f5

SHA512
3a824d631834ab476ebd4a9ad5b7b8cbce125fd9bacb1fc50f62c363b254c8e753e67fc398dbaf748e756c32a03f34516d5ca658fd97d20c349d07cb019170a8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
55e308aa3e35d085dd8da69eb640e435

SHA1
c92e50b8d6831775c0d1e659458b8384f87fbe0c

SHA256
9cac4a237c70233b2d5cea0536c1ac86638e07b13df6f271740ca7233c45d4ff

SHA512
baa64aaab7336e8294ceb5a0ed05a3234c8e862dcef920b2b38619ea79deb0152783610e9ecce20b9cc7ef326fbdd174bf5f7fc9648f135036ce859612b00f8d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6bcb99a5d2b18aca8cfa62a45ddad673

SHA1
ef34824bbee53cd4c6a2d58c16fe414dedc8775b

SHA256
6ccf4ffa2095ede415dc4cb5e7b0ec321dfd15668fc4ee23a8939bf9aedcf5d6

SHA512
ab25351bd0201cae1722a4f3b959478d56e6f622e2e955e2240424556ccbee9fdd9406bfc9d26631137f753def5ccf1bc4ec4189b8bf0f6d65a536cc960d251c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f8f3e3e87d604a8f78ca813401d8e063

SHA1
eb9ffce6fbc8f107e2b72cf62e1eeaeafcbff881

SHA256
4cac1ca29110196bb0083701f5abffc1b2770fd200cc62cfbff1c9cd5f9c9f0b

SHA512
5be7788e61d79a92d2e662fae9078c18bf0a61b4b51ba21eaf36c394b5185d0b26ad5188cb064f3d3f931545fefc65325798dc06aa449c79bbdc157b85c596da

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0e5fe48af1d217a14bbb26053dc1a0bb

SHA1
f4d38537c57ffb06273956a5584fd0797fac10f4

SHA256
ef257f55b0dad65c94ac8d3bad357e2371104763852c163ffac3a8e22f157f9d

SHA512
27b20cbc88fed3a8fb7a945541c5b5aef4a74bbfe2f29f8f546d600ed6bc55359731f6f9a8156ad164e38f62de74b0ed3913ea5500135f7575c747f3d3b6dfe0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d85ca35c710e36cb3a423f546309ec37

SHA1
6b4c77ff2cc557912e7c442f25e6edc5f207f927

SHA256
162fce2b2b011173a1ccfe4624fa33e0c4749ab3467e19e21522b3ed5128f88b

SHA512
ca8c2cefdf2515d20c0867776b1783f73f1dc70a5609ae52ef22c579b570e95341da611f37f9a4f7c14e25ec0b6648e86b79d4fa76225f38ee97ef8a8e578061

Download Submit
memory/64-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/64-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/500-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/500-585-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/768-163-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/768-157-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/768-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1172-361-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1172-177-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1172-169-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/1172-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1220-551-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1220-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1268-446-0x0000000001020000-0x0000000001086000-memory.dmp

Filesize
408KB

Download
memory/1684-217-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1684-223-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1684-226-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1684-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1752-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1752-486-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1964-134-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/1964-133-0x00000000003A0000-0x000000000050C000-memory.dmp

Filesize
1.4MB

Download
memory/1964-135-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/1964-136-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/1964-137-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1964-138-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1964-139-0x00000000069C0000-0x0000000006A5C000-memory.dmp

Filesize
624KB

Download
memory/2284-344-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2304-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2304-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2320-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2408-304-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2408-549-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2488-527-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2488-285-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2748-200-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2748-190-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2748-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2748-187-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2748-181-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3420-405-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3420-602-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3816-283-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3884-437-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3884-249-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3992-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3992-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4100-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4100-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4184-149-0x00000000032E0000-0x0000000003346000-memory.dmp

Filesize
408KB

Download
memory/4184-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4184-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4184-144-0x00000000032E0000-0x0000000003346000-memory.dmp

Filesize
408KB

Download
memory/4184-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4184-340-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4440-400-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4440-209-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4440-192-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4440-198-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4496-231-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4496-247-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4740-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4740-402-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4740-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4740-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4848-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download