blustealer | 52d4c9785ef46a412ea225c41757168d828d77058976963a9232ffa6bf0d9425

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
5096	alg.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
4264	fxssvc.exe
4364	elevation_service.exe
2884	elevation_service.exe
3340	maintenanceservice.exe
4652	msdtc.exe
1888	OSE.EXE
4208	PerceptionSimulationService.exe
2488	perfhost.exe
792	locator.exe
3944	SensorDataService.exe
4740	snmptrap.exe
2684	spectrum.exe
2348	ssh-agent.exe
332	TieringEngineService.exe
1572	AgentService.exe
4924	vds.exe
4904	vssvc.exe
2116	wbengine.exe
4912	WmiApSrv.exe
2844	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\locator.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\alg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2d1a522c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\vds.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 4312 set thread context of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1f4dbdf417cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a22cd05427cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeTakeOwnershipPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeAuditPrivilege	4264	fxssvc.exe
Token: SeRestorePrivilege	332	TieringEngineService.exe
Token: SeManageVolumePrivilege	332	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1572	AgentService.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeBackupPrivilege	2116	wbengine.exe
Token: SeRestorePrivilege	2116	wbengine.exe
Token: SeSecurityPrivilege	2116	wbengine.exe
Token: 33	2844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeDebugPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3628	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	89
PID 1508 wrote to memory of 3628	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	89
PID 1508 wrote to memory of 3628	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	89
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 1508 wrote to memory of 4312	1508	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	90
PID 4312 wrote to memory of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117
PID 4312 wrote to memory of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117
PID 4312 wrote to memory of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117
PID 4312 wrote to memory of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117
PID 4312 wrote to memory of 4140	4312	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	117
PID 2844 wrote to memory of 4168	2844	SearchIndexer.exe	118
PID 2844 wrote to memory of 4168	2844	SearchIndexer.exe	118
PID 2844 wrote to memory of 1536	2844	SearchIndexer.exe	119
PID 2844 wrote to memory of 1536	2844	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
"C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4140

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:792

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4168
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
129ca431d5dbfc2490ba5d333959163c

SHA1
dd47e5ccbb3dbebdd8c6d348b3f9d7a020dd5ead

SHA256
a3a2f1088ef6d79c35e56c915e4f4775f6aebdc235159b40a9d4a71d84c2fbfd

SHA512
c4341af7197f04c6c22490d8316c65e8b13a1fbd7819bc88115a64c0f211324407d769d7c1a279d05cd537f10a0f3832b63ffe2ac9a51198a07bc86d03ddace1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7c2053911bfe64722a65e2b571627427

SHA1
c40d7828bd313c681f9db02a8b9858470ade7e88

SHA256
e8dc7cd4d8125e15d1e23766c0ecc11fea62e37f710aeb52fd230aac0807f6c6

SHA512
e744571f0e433adf37f670339e4094697c5745efec0c3552f529474b597d20a456dfdb62f450cff9a798f8077fefed6f7ca19d27b18cf261d08f1083008ed370

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
29002e01a8b6d904c54b5950fd174abd

SHA1
ddbb9724e12a1329bd42de789ec3f3735a64ac36

SHA256
960af897a17c63ec565b318c3c56db633a6c0e911c664efad44a9693c5c11a6d

SHA512
765b193e41689cf397d8aac5a201951ac28d30058cd519c1d6276d82497207c806d2f907e34e486e4cd0e68b036f80a2252bc9a677606716a80bb7ca0672253b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6c1a3be47820069b24b3755a91a2c36f

SHA1
869258d867583ba1d1ab65861f4993a64008e702

SHA256
98ce20b587430370e3f32d2356fb81b2c86ae285defea3e18b84a66b71eec505

SHA512
d996f226c6ac5274c705c43c43b9e69d44def441c46781d699d054de5df62dadccdab1cdb74ed76568b476333ee46490c0da3a8fc6f17a4081b82560e7b53f2a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5bb9ab7da62587e792c8c03fa8ec4f83

SHA1
5e8e810abd94f2100b2a265f78245dc5f5830776

SHA256
347640df0a7f73fff0ae6f28ffb147407000d89f5b9074d4b84124ad2cae3340

SHA512
876021ff8ce144030a0a6e8618f357e45481eaff9d65ec8db67081dbc2a515e057bcaaab5a3877cc688afa1a9d1b5a78c91cbd1059b44b1b89f8585454956133

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
753b3814e9a8d04665f0e354012cc7c1

SHA1
de36e5b6fc6653a00f646ba45db61323cf616850

SHA256
9e85837052d6ce55a7325c70ed20d30f05819699e2d41012e5380a9f6d019712

SHA512
b1ee09af5d0921ffceb35b7618ba8b660ed42c387f297b1cfd0ba09a9655afecebe13b8133f4e5e715fb1834d664c3e1c757968d39d96ffadf13be9ffddb5dc4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
63c1f61300003eac8155af679de7f7e2

SHA1
7af98ea54ff476bcbc961649dfedbfca2a109aa1

SHA256
d1682bf788483b1679aa1d0861200ab689c60d895664f5e4922a603cf2917c5b

SHA512
f48df6df053049d4823a757a4cfe92aa91423322522e114c0784f8f5f252e6e165eed673480be450ee7c75d35d52b2d5e6f7990998114907431fd2912b3c4ba6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9c15690925d8092d4d4a68d2a7a82f6b

SHA1
7a0c39d2d743aa23623345e7b96e595f9497a676

SHA256
7ad7766c56d0af5ad61853d10b7c333eb9d14d20748c77aef76cc236e578aaa8

SHA512
95ebaf4b3d5ffbab74a11c7b0b48a38397cac86dc54ba5898d19eaae1a499ccfb16a697a36ec59e359e5b2df3246c193bc290d9854619e397617052ca797e7b8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4b3165365efac74e0dd3630748c93f92

SHA1
516f1d7f6d9a14b836d31e396e6cc4498ccaa0ec

SHA256
fc298c83a999fffe3c37d5f20cddcaf8012995361f322c9e0d284b53fb4750c1

SHA512
dfe618f9ba2d3aa217f2a911e28ab035b632cd6612fcc730dd6378a57c25a6e047d29e87c054bad6e1b9532bc123ca30f2d4c10d1042ec211e5aa05a1a6a0f99

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
007ace20518c99a4b2225b7d81591377

SHA1
6272aaaaaa0ed82c93ef46cf8a3e05b161350aff

SHA256
a5f03b7e4ac30f4799dc27df38d25cad043c8d5b9043b842b9762cbf92d90ba1

SHA512
879d0059a2396f4610edc75ea0e7cff9c964767ea1ce638e713501891eb4b22fe67e8948b1627f9512ed453b29ca773681ebd459a9aa359007123da1c552188d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
007ace20518c99a4b2225b7d81591377

SHA1
6272aaaaaa0ed82c93ef46cf8a3e05b161350aff

SHA256
a5f03b7e4ac30f4799dc27df38d25cad043c8d5b9043b842b9762cbf92d90ba1

SHA512
879d0059a2396f4610edc75ea0e7cff9c964767ea1ce638e713501891eb4b22fe67e8948b1627f9512ed453b29ca773681ebd459a9aa359007123da1c552188d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b6016a3e9c06138b6e57db40138f2aec

SHA1
e99b59c90fd61f520f1eb58b20e8e95aaa16dd92

SHA256
f772442b01b26c2132ab2c3574fe89685b3c71502d822ba187ebfc6e7c23afd3

SHA512
be125189b16f7402c8a89a8e00c382b1e26de4e14958856e498189d2b055f94a16ad162d4ada805f8452a7169726eaa50b4d7fac0d45bcf34f32dbd1de010273

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a9904cbab78a648bca77be83179e6b3a

SHA1
59bc3dbe37e0e6693411adfd3aa0875cfcc3669d

SHA256
991bba37780cdcf3dc1538fd36181a5236867d0fac4e5c2353e8324c01aa5c4c

SHA512
5cfde156afe9a7f337e881472f6d7abc1163a3f471b0014f096bdcf4b8037b5b20960022f581072d80ddcfdbfdaa26bf03c9b458de51bcb401f21355bb119ee1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0b127c39716721bd01946abdf7117d83

SHA1
2460e6d48c868eef7c2ebd95e8f57268b0a41f3e

SHA256
f69cf0f3d19d21b06133c820bf180f9b1b51e371904f0288f2a8d5415f8f922b

SHA512
968d1ce3c0f11ad42480d4ab42aae2e75e54486abc146e0a6d755a087651b55e667d15b71ad0cb6d404906449589109bda11305ac8fb2b712f04ed0c571cc815

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4b2729b3ce27f1fa8180d1ba748604a1

SHA1
412faadb637b2ec4c3b008a0dcb3d88197273f79

SHA256
9221dbbbe78f2621d0fc3685b32eab973c0007fea95618b50d57978aded4a157

SHA512
10e4a2b4298ec9510b353dc5af4319026fb05a5c78dd38e8d4dab62ffec93e65288d41bf6260891bd4a099e9a261c97657aeb9143f9e176c5ce5e1d6434272f1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f20e7ac79245c3d15aef05cc80c8b31e

SHA1
04fe23bad875d33a20032979fbe77ff8f181dfa8

SHA256
0b51dd6dc873d5e6b9e0c974d03bca6d0c0e04d9a1613df78bd19ed31c5a5722

SHA512
5e93de0f9ca8b35f215ebdc5b430d6be1a3326520c9ace55aeccea016982f3bc2da5fa881cc7850f7e7f5c6c11db6f0fb14f5ffe13fbdd264ce53e237f6d8646

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a6ac5336ea4dd2d8d741a880e524a513

SHA1
98adb75942023a8288494fe84549899a3e0127c0

SHA256
ffae6a96e6ca1ead53434e3809cd519ae53aa21e2e82757ed6ae357847fb9080

SHA512
570d62fe494601a7bf4b5444b073a5681a53b5e4201cb16a8b3de4ce330277745f08729252fa0a66830b02d95b2918aa95da3bb0fb6aa7e5a787505152e362f1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
07b29b082e0f3155b51baa1a34ec9c99

SHA1
4ecf9c65a87f77033554929480216640196bd83c

SHA256
4e03e38e7657f5ab0a29d75677122c9271ef848c9d3a500b9db16fb0d625aaf8

SHA512
2e11b48b0e2372091a3c3fcd9b03aa7d7e43767e32495615005a331348e8807e44c83d66ab38e531208571606dd4a8ece2016377f33425b81a96d56c72b50acd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
03722ef73c00f6b852f578554faba429

SHA1
680fcc600e6e644d312a3e23d9d01770df02b0c6

SHA256
df9f411a87ec5e51f2a0eedb70c50c53a0638b478921e2d1f9c778680115592c

SHA512
45ade8c608369fbd0ceb3b9aaab0b80acad7621674899bc0b40286ea71fd2347b461498c7504bc08340a8a509fb5df5107f508fcb9c252587ad83d82495b976b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
59e836f40c99c007068c8aff83539e73

SHA1
a0c3bbd8c17e493a4ad6332c62d62582c0e5eaa3

SHA256
b0a857ad48b4cc83b0a91c86cbc72bc164d1d2a8b1b48b1205542198be199754

SHA512
1fceefb82e396d59b55d7bc9ffd998fb9aa3c3ec05b822031b9ee30c78fb5d1bad266203a30e7347473af9781c587a06a2e8f3c3356bb2e5bd1bb300bac1f579

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4a59d8ddb935974c513ffc36dd522a79

SHA1
c6fd7e54d4710e70cca8ca1c1a9823a5665fdeb6

SHA256
68934de05347a9dc508e0e42579dcbca244916fd71bf53aaa79fc0befe9e173d

SHA512
f44a1bb34b5a392c8e7ca81cfdf1b36977c9bf194321ad27e3467d40684defec20bf708675f8356f0544de169575f49f0980a002257c6cfdea3632b8baa5bb33

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ace345361efbd0aac3561b8f242ebeb2

SHA1
74a20a697412032f47c3883e97a8cd306fc6f5ff

SHA256
92b0659c298b72c1e680c69d9772e32b169e72ae10299d2ddd54c014c14e5f02

SHA512
a58daa7f446fc27f8ee599d04d2098c48e47b42cdae36c1a0ae375aed2d1a25c15a03689121b8e758f25d732935ec5742948f71f8cdde5e2d08a5ee8b0f15874

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cfc297672bb60706f6b18d2c7726742e

SHA1
0d80fd307ee903468194b58a43fdc2d9ab537b33

SHA256
bbe752d581e88795c7d862113c41aaf826b2b3edd7136400012454003a2b6ce7

SHA512
1ddd7e15d4478d9fc8215bd4feac598a892a4b7b1fee9f81affec749b889dbc29f14f193984b225e7b82b99ca65cbf4166f20dacb5bf7a7a962b8d898d8e5c08

Download Submit
memory/332-351-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/792-286-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1508-138-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1508-139-0x0000000006FC0000-0x000000000705C000-memory.dmp

Filesize
624KB

Download
memory/1508-134-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/1508-135-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/1508-133-0x0000000000200000-0x0000000000396000-memory.dmp

Filesize
1.6MB

Download
memory/1508-136-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/1508-137-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1536-694-0x00000240F9F70000-0x00000240F9F72000-memory.dmp

Filesize
8KB

Download
memory/1536-659-0x00000240F9F30000-0x00000240F9F40000-memory.dmp

Filesize
64KB

Download
memory/1536-660-0x00000240F9F50000-0x00000240F9F51000-memory.dmp

Filesize
4KB

Download
memory/1536-661-0x00000240F9F70000-0x00000240F9F80000-memory.dmp

Filesize
64KB

Download
memory/1572-353-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1572-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1888-247-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1888-441-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2116-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2116-564-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2348-333-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2348-552-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2488-271-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2488-485-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2684-535-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2684-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2844-580-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2844-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2884-210-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2884-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2884-391-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2884-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3016-349-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3016-170-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3016-172-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3016-177-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3340-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3340-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3340-223-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3340-217-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3944-474-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3944-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-448-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4140-424-0x0000000000500000-0x0000000000566000-memory.dmp

Filesize
408KB

Download
memory/4208-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4264-190-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4264-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4264-187-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4264-181-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4264-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4312-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4312-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4312-145-0x0000000002E60000-0x0000000002EC6000-memory.dmp

Filesize
408KB

Download
memory/4312-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4312-150-0x0000000002E60000-0x0000000002EC6000-memory.dmp

Filesize
408KB

Download
memory/4312-317-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4364-195-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4364-208-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4364-389-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4364-201-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4652-246-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4652-231-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4740-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4904-563-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4904-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4912-579-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4912-412-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4924-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4924-372-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5096-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/5096-164-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/5096-330-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5096-158-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download