Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
Technical Spec.exe
Resource
win7-20230220-en
General
-
Target
Technical Spec.exe
-
Size
1.5MB
-
MD5
66a9b6a55484f435f0fb7c84f71bc611
-
SHA1
721833332c2fbc136adaebdf57013af384fb2cf7
-
SHA256
59171f457fb4915d408fa293f0ca3cdfeb613a20d6fadc50ae88b1cf58f0b004
-
SHA512
4aa631e503a41b597285fbb35c92f09c3c277e461f1845c0982006f86fc60fdf1242a4aa59c0ab976b5849da846fa17d36f89e9a1a7bcb4ef55986f7d6251f52
-
SSDEEP
24576:gvPHgPdvk6fvDNL0mN3OnC/e4jGyIiDWXrPcTwCKvtB2zPJo0:g3Qvzfbd0ZC/eg1NWX6wCKVB2L
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4932 alg.exe 3056 DiagnosticsHub.StandardCollector.Service.exe 844 fxssvc.exe 3920 elevation_service.exe 5116 elevation_service.exe 1780 maintenanceservice.exe 1616 msdtc.exe 3492 OSE.EXE 2028 PerceptionSimulationService.exe 3512 perfhost.exe 2068 locator.exe 808 SensorDataService.exe 3656 snmptrap.exe 4148 spectrum.exe 2112 ssh-agent.exe 4632 TieringEngineService.exe 1000 AgentService.exe 2076 vds.exe 3820 vssvc.exe 3880 wbengine.exe 4704 WmiApSrv.exe 1644 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe Technical Spec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8201552c50d0d086.bin alg.exe File opened for modification C:\Windows\system32\msiexec.exe Technical Spec.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AppVClient.exe Technical Spec.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Technical Spec.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Technical Spec.exe File opened for modification C:\Windows\System32\vds.exe Technical Spec.exe File opened for modification C:\Windows\system32\vssvc.exe Technical Spec.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Technical Spec.exe File opened for modification C:\Windows\system32\locator.exe Technical Spec.exe File opened for modification C:\Windows\System32\SensorDataService.exe Technical Spec.exe File opened for modification C:\Windows\system32\spectrum.exe Technical Spec.exe File opened for modification C:\Windows\system32\wbengine.exe Technical Spec.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Technical Spec.exe File opened for modification C:\Windows\system32\AgentService.exe Technical Spec.exe File opened for modification C:\Windows\system32\dllhost.exe Technical Spec.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Technical Spec.exe File opened for modification C:\Windows\system32\fxssvc.exe Technical Spec.exe File opened for modification C:\Windows\System32\msdtc.exe Technical Spec.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Technical Spec.exe File opened for modification C:\Windows\System32\snmptrap.exe Technical Spec.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Technical Spec.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Technical Spec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3992 set thread context of 4192 3992 Technical Spec.exe 92 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Technical Spec.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Technical Spec.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe Technical Spec.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe Technical Spec.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe Technical Spec.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Technical Spec.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Technical Spec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe Technical Spec.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Technical Spec.exe File opened for modification C:\Program Files\7-Zip\7z.exe Technical Spec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe Technical Spec.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Technical Spec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe Technical Spec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe Technical Spec.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe Technical Spec.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Technical Spec.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8d348f05a7fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9f96ef05a7fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebc940f15a7fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e2565f35a7fd901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de93aaf05a7fd901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002732c7f05a7fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000923f56f15a7fd901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3992 Technical Spec.exe 3992 Technical Spec.exe 3992 Technical Spec.exe 3992 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe 4192 Technical Spec.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 692 Process not Found 692 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3992 Technical Spec.exe Token: SeTakeOwnershipPrivilege 4192 Technical Spec.exe Token: SeAuditPrivilege 844 fxssvc.exe Token: SeRestorePrivilege 4632 TieringEngineService.exe Token: SeManageVolumePrivilege 4632 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1000 AgentService.exe Token: SeBackupPrivilege 3820 vssvc.exe Token: SeRestorePrivilege 3820 vssvc.exe Token: SeAuditPrivilege 3820 vssvc.exe Token: SeBackupPrivilege 3880 wbengine.exe Token: SeRestorePrivilege 3880 wbengine.exe Token: SeSecurityPrivilege 3880 wbengine.exe Token: 33 1644 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1644 SearchIndexer.exe Token: SeDebugPrivilege 4192 Technical Spec.exe Token: SeDebugPrivilege 4192 Technical Spec.exe Token: SeDebugPrivilege 4192 Technical Spec.exe Token: SeDebugPrivilege 4192 Technical Spec.exe Token: SeDebugPrivilege 4192 Technical Spec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4192 Technical Spec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3992 wrote to memory of 652 3992 Technical Spec.exe 90 PID 3992 wrote to memory of 652 3992 Technical Spec.exe 90 PID 3992 wrote to memory of 652 3992 Technical Spec.exe 90 PID 3992 wrote to memory of 996 3992 Technical Spec.exe 91 PID 3992 wrote to memory of 996 3992 Technical Spec.exe 91 PID 3992 wrote to memory of 996 3992 Technical Spec.exe 91 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 3992 wrote to memory of 4192 3992 Technical Spec.exe 92 PID 1644 wrote to memory of 4940 1644 SearchIndexer.exe 119 PID 1644 wrote to memory of 4940 1644 SearchIndexer.exe 119 PID 1644 wrote to memory of 4948 1644 SearchIndexer.exe 120 PID 1644 wrote to memory of 4948 1644 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:3056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4112
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3920
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5116
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1780
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1616
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3492
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2028
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3512
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:808
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3656
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4148
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2344
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2076
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4704
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4940
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d04b9ca30cb91a3faab649fb0503614a
SHA1bf035a01245763d39249bb3b8330d05f28b1731b
SHA256acb65cb4f604ce58503f238b4f96b3e6f006093e0e33535b77861df353075166
SHA512a46f417fefdfd9172f2f4b442c5cec86a5f955b18f22bebc888bcc880de7b233f9b3d40f0cbf7288c27c1b986f5174703cf37f8f511b74e72be0f8926d9e206c
-
Filesize
1.4MB
MD5e7fd961fbc91c8307b8a7c86b91fb5bd
SHA166789386235bb02a912133c284f7a5a29e9d0498
SHA25622e90eb1eb5500f87c276b7f0a9f78c0d95f846fa9acc4a0d130e1d997578f9f
SHA512fdcb069a7d0b20058eba58fae2ed271da31d63275efc889979f85b0af632d618f2cae182f91727c8bff20442bb0f1bbfbe5ab2cf9b3d013eb0b3a842c03e53e8
-
Filesize
1.5MB
MD58f95be67a2ce00dbe3556c211db87f35
SHA10e8126d9ec23a93959bcf8039ffbbb176e096204
SHA2568ec31f049f51df1a362a49cfc8f37a51b889872a31d7dc2243c2a5bfd3571a14
SHA512276fcc1fb8a344e6056639d2311062ce5892414f85ef90ab5fe3f85be0cde814dd3cd16ee7e783ae08cfa0b1a3d95e7884ff576f3f7aad8e83a75fe097b2813b
-
Filesize
2.1MB
MD58e3d7238bc3e025657f6132ed941d6b8
SHA184d81be5b306ef54dafd440fc7ac89a7487ba7fb
SHA256ff06ca14f3f9cebf3e999515ee60690b7f211f8a54166a9b35533faebc38afc2
SHA512c7c6cef9f3cbbef0da47b546b1f520bbfcb8ac260c63dc251ecfaf849f048ca6f12b74b1b394d168e1543a2c059abc8e1698e759bd92497b4b9b9000841d27fc
-
Filesize
1.2MB
MD5d74944d3471004ac1fc86cdcc3dcd3b1
SHA1deb58d1a1645d4a95814388cc70a033f4e180172
SHA256f051972c0e6db66d374482c3c8f7064fcff08b355efab9b336f0d439a3545788
SHA5121d4ff4d5814dd89ad8273326f742df2971f89efa2a5c806957cd4304eaba5bbcdaedcd1fabcd5cae1f4f2d345b32cd3a97718087388693cf2d846379ea838fb0
-
Filesize
1.7MB
MD582e6ee2e347d323fa122fc5009950cd2
SHA1770326883a7b7153ba6a9d53e15e581a35bb08ba
SHA256c62685a376ae17c8f640ac78bf8969cbd216df983b494206526e8652a04bf64c
SHA5126f5da78787a75c7bc6d5bc8f5d0528a3003aa807ae2962cbbd726e8a12c054eb793646226e783a1f512956cdbcd5a84610284a051158418dd73bca008f532f0d
-
Filesize
1.3MB
MD520017d9db1304fdf9c18ac1b1f179dcf
SHA1194eeb33949ad1decd88e93b23dbd57d8899eafe
SHA256f86133c8503c4c8a95041ac180311630d17702b89b51ad3310599b49b939633a
SHA512401e2d668b23f261308326e9895e75706fe2159a66a0c9a608de789ca1f6ada79eff4b0856b62119ce6f06a4b90a8820ea4f6af98afde87dfde5af0c7547b0ee
-
Filesize
1.2MB
MD50dcd020850a8219cf5f59970cae4e5dc
SHA116f0aae13774f2d001545149926aea75d9598c00
SHA256adabd0fb6f506c1272d4f44e7ed3b857026e5c41cd0cbdafdd98bc52f2b3667b
SHA5127912274c9491e692e7ddab3e5109526a4d5eceb4dfd695ab6c5fe5198cb54c054eeb960f3410cddb63c8708c4e326b46a94b66e7672884121e0b4740ebfc8a30
-
Filesize
1.2MB
MD550be656239a16b23efa3d2a25d5f6da9
SHA1ea59a5ea20651832e22fd0b4e20c77b82e1d9410
SHA256318c17dbc83ec4fca3f5708db7a634ca41d19fb4d7707cec9407f8fb838419cb
SHA512c67b5dcb7ba474bef26013d3420c06e88854fc6de0eccc7db1e1e87cffee28f82446f50c5dd2615cddfe32de960637586955318fd6c498f2595d7e339fbea1cd
-
Filesize
1.6MB
MD5d45f77cd35eefad25251cb02567b5a6e
SHA1a3976b3a3a541e8cfee4ae21a8d5561d34ed4ccb
SHA256ce0bede9bb6a76f09849d1b32063a9b13f85342497579883bff58740c94de8c3
SHA5120f8c7322a60f82737de755fb2033686f00873a46dfd046ac5e590b9ea5f73c19c54fb9428bec4ad2538524c586ba6785c816ed36cc569e67ffba221dbba04303
-
Filesize
1.6MB
MD5d45f77cd35eefad25251cb02567b5a6e
SHA1a3976b3a3a541e8cfee4ae21a8d5561d34ed4ccb
SHA256ce0bede9bb6a76f09849d1b32063a9b13f85342497579883bff58740c94de8c3
SHA5120f8c7322a60f82737de755fb2033686f00873a46dfd046ac5e590b9ea5f73c19c54fb9428bec4ad2538524c586ba6785c816ed36cc569e67ffba221dbba04303
-
Filesize
1.3MB
MD534303b41680f77b205d9b21b6023a4e2
SHA1f93aa7b1f5961981398d49be09f0e172c652c89f
SHA256f62275b77cbdb8c43a0094232bedd797d173ca7335c052f941e657334ad5357a
SHA512359aca96ce6fd6de5229edc4453a4537a14e82135a69941706952ef6c803c95984b5aee8ed153569180ffbfbfa9c9db1d43e88dd1fcc8c5c78ccbd6e0f910e93
-
Filesize
1.4MB
MD5dffa5648a8c8ad2c30ff61d127c521c6
SHA1f49c34baee4c551775214d3acba7f06702418b16
SHA256c55aee63c87b6234f29d57295732fb4e855236f654ba09078151f2d518d3717a
SHA512502877b0a4dae35ccc2cd43e89845a03ab8f5ca15a0b19d7b87b35a1790e372e1eaff55af5349097b2e0c15e29d1d018ef4d71ca31ece5c9e661e697613a168d
-
Filesize
1.8MB
MD5f053977e53e2da0b52d2401bea7b6c18
SHA1037c97e1a8855a5ea2ead278522bd5ddfb369872
SHA256413e982e621b55db5c0a113411e3455d406e3fb1cc80cea33a1ac69196c1093e
SHA512c6523b0a1b1b974c30bcbf365c42b5ed1cf0db5eee6e46887ccfb187756d712f2373e63f582f3980a26a2acaaceb56281c7448689259d7b3f8addbb187e9e6be
-
Filesize
1.4MB
MD52702417ee26c153a9fc3929fa0aac867
SHA1d45c9bb53b21ba5652adb1aa6aa61be6c4ded981
SHA256730aa61c36e9fc6eea48aca60bd057fcd58cc9ad7caea4ee297d5933e1bbb7fe
SHA512368d2f9af7da9eff5b91b01789dd50814f7ab289d6e25e61ef97a55370232a55ee577ffdfa90c639d011d93467f6408feaafe7e39e1b07c7f64678197a92d563
-
Filesize
1.5MB
MD5d64441988c96be8db277fb5b36003bcd
SHA14a117c179f980833954e3aa5567d034f16eb0d67
SHA25627cbc6ce6331b60f8b6803e595cf1abffc8338eb69c843b27c7bf03371d958cf
SHA51213527315d593c0ec8bb8a9984554d027bbf91843b06ef8d47ee733d37233b9eae35fb7d6fb392ec2d99657ef735e6d20b3340a1ccda89dd16569a6a2bcd50def
-
Filesize
2.0MB
MD586c308b2f83e42aef78ff3fd59911ddd
SHA1e2cc50ad58cf7e400a7b1b07ba182e180a31fc6f
SHA25675ea2a1b0f91a85825749f2935d313f1a8f22a58cb5c43dd13cb90e643f15ad0
SHA5120e15490765ed8b4bd6a87f8107e0421f927831991958c421972aff537c56411290ef286a64bc35d0bcecc72d1976b34bedfee872a931d3c0af4f4d9583a16b64
-
Filesize
1.3MB
MD5d0c94dd810b273a9c789849533b037c5
SHA1f99c09bc6f0c1d6bc8c3b5920dfa7d8f9e299d33
SHA25629d243cddc1a6df44fe412496c6100244df3f9921f79284f1f3a2893e437f628
SHA512dfe9cf85f804c6a5a4ee5b3aa959e910a6ab634471bc2f741ab442c9585c54df9eda8a37e5e2b84010728b3310d111d97439a34b8e0aa687256c92fe0d3ff27f
-
Filesize
1.4MB
MD53002e9a3eb52d579d75ef53cabc2b2da
SHA1f4519d4166058e4f55946b918727a4b32a73e407
SHA25689eaf4a80069dea74a881fedcf44ec9f4dbc54cccb31812b84552f8b49f03c62
SHA512d94984b71f0d2a3301b9ac6051139360458c89ea72cf9a44de16e73b2a97ce5733f09a02b2dd8f8a4278b0812bd9c324614f80ca6e0e9e7488c01428507192a2
-
Filesize
1.2MB
MD59a2f722ed7ad887b6baf741adee11ac8
SHA1360babb56b0521d0aa6aa026308055940925d753
SHA256beeaad2b492e3e5b75b751a65edb2810e5c99917421c1b2c2d61512d9cc25770
SHA51261348ac426c63a7c4c786c247d59d76587e25b744e4f99592066c647b25e7d08ccfe5ca57dc9e493358cfd91bf136d3d064ab2173303f8787effad10f14e216a
-
Filesize
1.3MB
MD58392d3ae7459f5d1786dd7f5eb878a83
SHA1f5022d85b8ef124003f8ca5225da3e6ae057c962
SHA2562669de31392d0fcf75721505526f39116b9f77504d664c3092a91893c82607ba
SHA512690fe35ba1b45e9e72d9cacacc55a50fe17a80d39a3ac7184b72455e82a942a8bd245161da793c442dd7401ae4d2362a55582e5f6273555d74066b711376bfa6
-
Filesize
1.4MB
MD59b77c41ef1941e59b7da42004b0cee35
SHA1235d924407507edba2b29531ce3d7fa008f267ad
SHA25686ff7bc2952c04214840a602223ad9b819684db0755d614c6f5e3aeb4ce8a334
SHA512d3134a6d7295125c0834283457ceec50a5cb6f544c90f55bec6aff30ae2a6565fc7b48d01d0ad7b97f534ce42d0120395fed5b93812bf5f8c5f1b6137f5c1164
-
Filesize
2.1MB
MD5ca0bda2a7dad69a66e00648dd4cb9337
SHA1ba4200699cf001f95632d0324042a612713041e7
SHA256d79596c79c61dd2a1e6c6caea13f89b556ea176683abfba4ad2b19caf4269ff2
SHA512518ffcbf6b9ee889897f0545c833c8afbf9645a23979028cb84b83b5a1c7987638c2ba1ec66094543756fc5ca44803f1640581df828883cae537a5a5e597dc87