blustealer | 693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1324	alg.exe
1032	DiagnosticsHub.StandardCollector.Service.exe
4396	fxssvc.exe
4052	elevation_service.exe
2400	elevation_service.exe
4428	maintenanceservice.exe
1648	msdtc.exe
1472	OSE.EXE
2792	PerceptionSimulationService.exe
3176	perfhost.exe
3468	locator.exe
2024	SensorDataService.exe
3360	snmptrap.exe
4364	spectrum.exe
1840	ssh-agent.exe
4840	TieringEngineService.exe
1988	AgentService.exe
3908	vds.exe
4128	vssvc.exe
5060	wbengine.exe
784	WmiApSrv.exe
4220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9582fc8b50d0d086.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Technical Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1720	1808	Technical Spec.exe	89
PID 1720 set thread context of 1288	1720	Technical Spec.exe	112

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0BAA8BD4-90AF-4FCB-B1A3-821C23211F59}\chrome_installer.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Technical Spec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Technical Spec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056441d375e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4d8fe305e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077d46c365e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ca3c5305e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ffe08335e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000522bcf305e7fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6408315e7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd4e17335e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1b027365e7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe
1720	Technical Spec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1720	Technical Spec.exe
Token: SeAuditPrivilege	4396	fxssvc.exe
Token: SeRestorePrivilege	4840	TieringEngineService.exe
Token: SeManageVolumePrivilege	4840	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1988	AgentService.exe
Token: SeBackupPrivilege	4128	vssvc.exe
Token: SeRestorePrivilege	4128	vssvc.exe
Token: SeAuditPrivilege	4128	vssvc.exe
Token: SeBackupPrivilege	5060	wbengine.exe
Token: SeRestorePrivilege	5060	wbengine.exe
Token: SeSecurityPrivilege	5060	wbengine.exe
Token: 33	4220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4220	SearchIndexer.exe
Token: SeDebugPrivilege	1720	Technical Spec.exe
Token: SeDebugPrivilege	1720	Technical Spec.exe
Token: SeDebugPrivilege	1720	Technical Spec.exe
Token: SeDebugPrivilege	1720	Technical Spec.exe
Token: SeDebugPrivilege	1720	Technical Spec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	Technical Spec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1808 wrote to memory of 1720	1808	Technical Spec.exe	89
PID 1720 wrote to memory of 1288	1720	Technical Spec.exe	112
PID 1720 wrote to memory of 1288	1720	Technical Spec.exe	112
PID 1720 wrote to memory of 1288	1720	Technical Spec.exe	112
PID 1720 wrote to memory of 1288	1720	Technical Spec.exe	112
PID 1720 wrote to memory of 1288	1720	Technical Spec.exe	112
PID 4220 wrote to memory of 4452	4220	SearchIndexer.exe	117
PID 4220 wrote to memory of 4452	4220	SearchIndexer.exe	117
PID 4220 wrote to memory of 1352	4220	SearchIndexer.exe	118
PID 4220 wrote to memory of 1352	4220	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3992

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:784

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4452
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
64c5488bee8343dfa303d77a98ef1f52

SHA1
11d4f229c558bf847a2275cbceef5ab9c65e968c

SHA256
363f326de89f51c47e7450e83f05f43c55e00bca8922e6fe07c2168d95eb8bbe

SHA512
4897ae6575ec381070e7d8681d1f29c4194d9a7054429b7d94856c59b2bd7c9afd2bf6e237e766eca36638210c2c240c117f32b4ec6cea4d714f39f63993645d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9064291bb467d488530e7c4445417412

SHA1
7adc937db69ef36dbaa06913d13334e8e8c09bf3

SHA256
cbcb4a1d8f917f7490945cd98739bc9e774a3325d124de64482d5869a9500531

SHA512
e7907b959a5f8fca6d35805223fe5912da3dbe6e267eedc73c17e1699333d7742eea8ce80168840aebe01815bd0d200f935221dbac746e3c23da5e50d542e7ba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
e88eceee1657905b1e5435c287afec58

SHA1
935fa19b6f1bf14fcc7e653cbd85f493780226c1

SHA256
d111c8505d47349516e082146002b1f6b52408a1abfb1091ec2954d512d9489e

SHA512
5e8fd7c1d482ae5809e57c2237424b3f92e920d50cb196aede5699defe05fd7cbcb162e8a9b34e5f7209efa7ace56a7665b4fa92f6ae49094820fcbadeda67db

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8e261076202bd95f1168fcadbb417963

SHA1
a60978a1069deea10dc30779744be4bc25436258

SHA256
f55d318df48c9b1611ec3ca0952c799bee0f8ba35f749706581b81e13b50e29c

SHA512
d5953d95f959324d30df95bd23ab86a5b27f0a2bbaab86fc8aa79f8a11ce904138280d4aa1a4f7606d3c3aadb6053cbbb819b01d3f63939fa90caaa6f36a6fbb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ea5ad2e96ae12e3354c2c5bc261d80e1

SHA1
cae65ee31d965c935325150e0209058865ac0713

SHA256
4a708505d7a6b53112e0e3886db34d79b1fac2645a94cf6dbea65df6bad4941c

SHA512
b8430f0103e42f1c4b401ce07bf91516aacbc1eca429dcf702bacf3a49ef40f6350e2f16d2cc545f2e7b353edbd8e1171650898718ca9143bedf931c5320bd96

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
08646b9aed857843892550bab89ce757

SHA1
86f32fbb6b81754de0023bd9f6b826c5df1bd1c8

SHA256
c72c7211926ab359fb342b346cff54400d233d3a63fffa7357833eee8482c88f

SHA512
ead539c17441c8044a9c3b368d661e94d7b02b8ae2671a696dff9285daf5ef811ab0b029ce0152e4071d720b256354e401b5e035097a2b5a5659438326e33830

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ee633a6c7985d55097bdf2e3ae0fee5f

SHA1
6a5cd3771d8a6e12909a1110173c0a93a720a7ab

SHA256
d9ccbe84b7ba16a2113407750385263ded4b8fe3b321e53dc1cb808fcf83cdc3

SHA512
468cceb2ba9868f90f2cdda535e2a301898344cf393dec9a00f611797d8d9b89257f4c2785fb4e0abf3800a964f6590c521b2ff0047d513b7ae653ce1123b001

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f5779cc221428913345a2dca72348a6c

SHA1
c066369df30d5ab5036c5ab65b53a226272510ee

SHA256
78de112a408aae7fe6c0e313360a8fb1b15952b6c2285118697fca88f0503a67

SHA512
4e6ec5c5d6a076cf04b6f78510747ac62915cdb8ffd08488cdadc48dc0fc0481d8699d5bd5d04fcf0d532be7d00505cb04878a299112ce4d1a0320608d108e6c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
328c4c0fb03c180cf3e6bb6c6b450b1b

SHA1
47c511110b0e6f693275018ed76cde68ac9b31c1

SHA256
895ef0a00ba9e8f9ddcc77e5ce8b3fe62bba9c1ca1b265f76cb7bb4f36f09695

SHA512
bd64ca3499ed5190c88f74c49eb565a2b2d82437d23627ef4ce6d38140861560d43a755059aca6a337982bdf25c2e30ee4bfd12a638c3ec58b07619001c04776

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65fd4e3f4c702fec5534785a9035def6

SHA1
c5f6ca6b8baf70306f4c072a455e6ed07734df70

SHA256
8be5f62e10ee97067b120f6b8c1b4a72d03bb68b69aed68b84f47fc797f52798

SHA512
b3891ae754a3d07e509dffc3c52897ec314aa6de2e8be160795216f723395b76875a09309dd9c22734292b70b591373934bc68361b563af629e8a131d6ce5edd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
65fd4e3f4c702fec5534785a9035def6

SHA1
c5f6ca6b8baf70306f4c072a455e6ed07734df70

SHA256
8be5f62e10ee97067b120f6b8c1b4a72d03bb68b69aed68b84f47fc797f52798

SHA512
b3891ae754a3d07e509dffc3c52897ec314aa6de2e8be160795216f723395b76875a09309dd9c22734292b70b591373934bc68361b563af629e8a131d6ce5edd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1d329e694a2a76e89da96422725918e6

SHA1
47446d62603e69da390fbbfdbb8a443a4e434089

SHA256
fe61af9edbe86c5838c004f2d8fc67c5c59f8cd773ddbbce85e8d244979772ef

SHA512
a9c7bb6b139832c9b4d180f2518a75414abb38b26c172aa129ffc50b062c8168050c99aaf79c7307360bf41d18f72c9311503461e991fe1aaabf71bd4cc3f212

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7a89149101aecc89517ccc9cd415ba32

SHA1
0e758abfb9d4c6064d550cbfd242a19e0595d673

SHA256
2d91e96094a0a93d8d8eed14ca8ee43678dbb207ceb5aaa82b5160a3d4e0baa4

SHA512
0aa8633c5f0345527c404efd2d449500e8c2e31d7e9da7648235915b2b18fdee2878f7d40395de9e83109bfbb1ea0bf2a2c26affa42e20b6be092afcdc2396bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bee720a8cf5a535925cf11087ce94b1b

SHA1
c3fa7f88b1cf967ff421b9acf34f15df0a30de38

SHA256
f028b01146243d4c4605b0e1c13d7f7a60ad9eddf70e897930e50f3e16cebc71

SHA512
67fbc8d63a3af8990e535412beaa60192447b3fd57f2e287704147d810168599a4751ba013e7812c3c68cc689c35b8a8df9816960533ef232f0a0e88e87b409b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
418bd8c1cdb51bd5b61fa183d4f8260c

SHA1
8d595d18b605e0f48be03ce7722b39820824d179

SHA256
948dc04344675662bb6c3b8418a72bc21a5bd889360aaa6bdeedb79704838035

SHA512
15d282e8a1e39ee958a9f671cf5fcec896dd0e1fdbc040172a84e3d2c4106861bb2befcbf59790944319374393fda68101444612cbc4983627461c47978de4c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c8207709277e603fa28b36e6400d89f5

SHA1
5c44846e9469bd8ee03566d8d06ee827d5fe92bb

SHA256
2009c11cf518719694e0c9f8a418cd9c1e7a6f635d7735bbaee9eb28891ee59c

SHA512
4fab11c2626a9fc78c6839e79782403759fa269eeb5f367303d00e45508d2aa6b44018d574ea86430dd5519e36ca68d4462c89092562dd9ff84d2c316a5ff51d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
158809c1d439e02c0ae2345a3ee96a43

SHA1
ffc1eb6dfa43fb95db82144a7163ce071d587abd

SHA256
5128af5bca31f38aebad1b61beadd3519c34357e28573be175c3eca59dd021ae

SHA512
cd3687a153a1f3a1616cb73654d9add3c456494bfa44c98e6e80eb071a64ebd544e48913aa9025802dabfd3cc2dc76a8903cfbb234ca9be407ecac35e70be582

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e3bd5cd231d853496d241ce00ff3b626

SHA1
4fe271117fb71024ca7c5cbf75835c6c7fdf6220

SHA256
4ec498741b4328ca8fa8d8f1b6f47dfbbd39d61844e65ab7c72d98c13d6136fb

SHA512
ad87e1aa1951f1e2156a12faf3a1143e302faac7b6e898737a35ca690ba4789893e950a208c8cd6dc8d0c8f4cd28f0ec6bb293b166a23c7b4f56c40debb0e042

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a689d04df328b975042d8996ccdf6110

SHA1
c5b60a193c8dc3840e51a1cc8a3f4cfa26c9a1ab

SHA256
861c60b23900e7f0b5c7d3c73484f462a11a4b2a0e38ee8c2c7f01ef8ffac727

SHA512
2b7ed8bcbfbaac959ca4abf44008ee7a5b454c2d0c3328f7fbe4839de7c3208397970937a15827548b27e59afd797b377846614134e14146474af5598563a2e1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f57d5793d9ca605456e0dde8c2423383

SHA1
d4c8ed849b24df58bc8a0604282891b9fbc3d417

SHA256
fd80edc6c5c77adde263f8729d2e3b8624a3785b9d8794090515ee14ce06853a

SHA512
27b09db72d1af51795d298371a4d18a12a7ae42df7992cfebfb11cc8877fab081283230f2c205799607f1f43e13290994258b58708e4f57fa98129c982866fa3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6267ba960f5264dc03a68339b5432494

SHA1
9bc7b7518bedc86f0a247893d650098e462fc4cc

SHA256
a2dae07d278856b26911d02b4d581bb77c405f1214d180c4cca58c9f38beb672

SHA512
80a11da58faadcaadd90a28abf8746129a215d3801e967dfec757bdfa40a5b9eb6d7f0269e1d615ce1f6829c36a56d8b26511dadf09f78ce590ae776bf3dd477

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
299f5f02d7b335094b603cf1f6ae8924

SHA1
f6747a986a6d756ba8f3b08c2feb0bc5854b1e6c

SHA256
14fb6dd2d4b2cd78ffd7b4a67662b9cb56a24306ea40897ea5941c62bd7c0a9f

SHA512
562f8aa057f44f99bb54382696009d0ac6969311f0eba3c4cadadc13b592d0b1eecf6cb99ed21dd98121005d83b2483518311dbd34520c754154cca7e1c89321

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fd05fb939148348ac6c250673c7d4565

SHA1
1aa5248e5989a6b71c200c51e9710ed09a62f94e

SHA256
03520097f94e9ce51a74d4c95314f0df9b2d7daf2ca8c36d1ec18670cae88d8b

SHA512
d6ac5f99aaf3ecd7985d1d2bac8e04708758515cba1802175d85df050424763005b8443ec33f3c338e39029b42f3681a8733e30816483e65c5441d8457347b9d

Download Submit
memory/784-411-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/784-639-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1032-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1032-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1032-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1288-385-0x0000000000810000-0x0000000000876000-memory.dmp

Filesize
408KB

Download
memory/1324-359-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1324-164-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1324-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1324-156-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1352-641-0x0000025EB2E40000-0x0000025EB2E50000-memory.dmp

Filesize
64KB

Download
memory/1352-642-0x0000025EB2E50000-0x0000025EB2E51000-memory.dmp

Filesize
4KB

Download
memory/1352-658-0x0000025EB2E50000-0x0000025EB2E51000-memory.dmp

Filesize
4KB

Download
memory/1352-723-0x0000025EB2E50000-0x0000025EB2E51000-memory.dmp

Filesize
4KB

Download
memory/1472-262-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1648-484-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1648-232-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1648-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1720-149-0x0000000003020000-0x0000000003086000-memory.dmp

Filesize
408KB

Download
memory/1720-144-0x0000000003020000-0x0000000003086000-memory.dmp

Filesize
408KB

Download
memory/1720-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1720-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1720-160-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1808-139-0x0000000007DC0000-0x0000000007E5C000-memory.dmp

Filesize
624KB

Download
memory/1808-137-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/1808-134-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/1808-135-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/1808-138-0x0000000005D80000-0x0000000005D90000-memory.dmp

Filesize
64KB

Download
memory/1808-136-0x0000000005D80000-0x0000000005D90000-memory.dmp

Filesize
64KB

Download
memory/1808-133-0x0000000000FE0000-0x000000000116A000-memory.dmp

Filesize
1.5MB

Download
memory/1840-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1988-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2024-545-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2024-305-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2400-462-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2400-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2400-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2400-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2792-522-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2792-263-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3176-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3360-307-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3360-560-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3468-283-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3468-549-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3908-376-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4052-407-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4052-202-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4052-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4052-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4128-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4128-379-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4220-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4220-412-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4364-582-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4396-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4396-187-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4396-181-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4396-198-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4396-196-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-228-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/4428-216-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/4428-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4428-224-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/4428-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4840-596-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4840-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5060-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download