blustealer | 2a84cd5f54e03590ad92e86ce6618dc5c31cb290e0845bb5de357f8c92af8749

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Technical Spec.exe
Size

1.6MB
MD5

b07439ae25abcf2d281132533f2c4aa4
SHA1

4137af7edd5400e7e87b1ef31ad3d69da6f77d82
SHA256

2a84cd5f54e03590ad92e86ce6618dc5c31cb290e0845bb5de357f8c92af8749
SHA512

9c82e054400eba3459fed20bce1e1fbfe41d4459914ef7d6655ec8b06cf9d4fedf11be0de967de4fa0b167a2d835d603d50d121a5463ac0b28aabe2f4d39316e
SSDEEP

24576:CPKc2E+VeksjscdkmsRzUHr+3KcQh3GgVqIB5WtS4DW3mkh9YnpZq7ZPGAw1c:GpEE3qzULUhgGgVqIL4DWPhWnpAlnw1

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1368	alg.exe
2284	DiagnosticsHub.StandardCollector.Service.exe
1496	fxssvc.exe
3652	elevation_service.exe
1932	elevation_service.exe
364	maintenanceservice.exe
1976	msdtc.exe
372	OSE.EXE
2292	PerceptionSimulationService.exe
3800	perfhost.exe
3716	locator.exe
4156	SensorDataService.exe
3956	snmptrap.exe
3068	spectrum.exe
2660	ssh-agent.exe
4900	TieringEngineService.exe
4104	AgentService.exe
404	vds.exe
760	vssvc.exe
364	wbengine.exe
5032	WmiApSrv.exe
1508	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\locator.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bac754d49a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Technical Spec.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Technical Spec.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Technical Spec.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Technical Spec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 3640	1128	Technical Spec.exe	93
PID 3640 set thread context of 3768	3640	Technical Spec.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Technical Spec.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Technical Spec.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{71ADFEE3-430E-4776-83B2-F32638BD7B7F}\chrome_installer.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Technical Spec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Technical Spec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Technical Spec.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0431f28b81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b14e5ef28b81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f5f9eed8b81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e46a4cee8b81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed90ebec8b81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bfe06f18b81d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a08a59f28b81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea2a46ed8b81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ea666ee8b81d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	89	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1128	Technical Spec.exe
1128	Technical Spec.exe
1128	Technical Spec.exe
1128	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe
3640	Technical Spec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	Technical Spec.exe
Token: SeTakeOwnershipPrivilege	3640	Technical Spec.exe
Token: SeAuditPrivilege	1496	fxssvc.exe
Token: SeRestorePrivilege	4900	TieringEngineService.exe
Token: SeManageVolumePrivilege	4900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4104	AgentService.exe
Token: SeBackupPrivilege	760	vssvc.exe
Token: SeRestorePrivilege	760	vssvc.exe
Token: SeAuditPrivilege	760	vssvc.exe
Token: SeBackupPrivilege	364	wbengine.exe
Token: SeRestorePrivilege	364	wbengine.exe
Token: SeSecurityPrivilege	364	wbengine.exe
Token: 33	1508	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeDebugPrivilege	3640	Technical Spec.exe
Token: SeDebugPrivilege	3640	Technical Spec.exe
Token: SeDebugPrivilege	3640	Technical Spec.exe
Token: SeDebugPrivilege	3640	Technical Spec.exe
Token: SeDebugPrivilege	3640	Technical Spec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3640	Technical Spec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 4092	1128	Technical Spec.exe	91
PID 1128 wrote to memory of 4092	1128	Technical Spec.exe	91
PID 1128 wrote to memory of 4092	1128	Technical Spec.exe	91
PID 1128 wrote to memory of 4684	1128	Technical Spec.exe	92
PID 1128 wrote to memory of 4684	1128	Technical Spec.exe	92
PID 1128 wrote to memory of 4684	1128	Technical Spec.exe	92
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 1128 wrote to memory of 3640	1128	Technical Spec.exe	93
PID 3640 wrote to memory of 3768	3640	Technical Spec.exe	99
PID 3640 wrote to memory of 3768	3640	Technical Spec.exe	99
PID 3640 wrote to memory of 3768	3640	Technical Spec.exe	99
PID 3640 wrote to memory of 3768	3640	Technical Spec.exe	99
PID 3640 wrote to memory of 3768	3640	Technical Spec.exe	99
PID 1508 wrote to memory of 3148	1508	SearchIndexer.exe	121
PID 1508 wrote to memory of 3148	1508	SearchIndexer.exe	121
PID 1508 wrote to memory of 4888	1508	SearchIndexer.exe	122
PID 1508 wrote to memory of 4888	1508	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  PID:4092
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe
  "C:\Users\Admin\AppData\Local\Temp\Technical Spec.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4156

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2468

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f56f45aaa6d285e7bf0381472346a045

SHA1
b5589b6a40a76bdd140c0949e771f6d3dadf3041

SHA256
eca6c13807d11f818c2d915310bc3868ab4a1f069cc16506335102027c5526b0

SHA512
ec54a1dbbf15b4622923529f5590ceb015c7a0e199ee146c6aba3fad4c8bda4260fca3e51aa3cce59cd05b5cd9299016b638256102714d6f3027e96ce5bd9df4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
639e4e372f303ed9ca0d67a77b81ad3d

SHA1
484cc51a7524b176f003906d5961979afa7e3804

SHA256
bc6663a75030af35f59b2d7981177ba4ca7d0326a90fdce4d7273cb5eadd0882

SHA512
344b23b58da2e5af6dd775f2dcbea5e4436e7aea4d8841c2049950fb244a9b6b48eafdf033a9ce1a0791847f21f449e21d66dde72f185f3792618716bf95cd0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
639e4e372f303ed9ca0d67a77b81ad3d

SHA1
484cc51a7524b176f003906d5961979afa7e3804

SHA256
bc6663a75030af35f59b2d7981177ba4ca7d0326a90fdce4d7273cb5eadd0882

SHA512
344b23b58da2e5af6dd775f2dcbea5e4436e7aea4d8841c2049950fb244a9b6b48eafdf033a9ce1a0791847f21f449e21d66dde72f185f3792618716bf95cd0b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
213d7f953932e7c5d0ebfbf5ac451923

SHA1
17b6680442bb8efb173465bc45215c4721eb17fd

SHA256
ef357f5f39f4b85563801142ae0adbc0a72e4bf6c9281178f7d7294212d39883

SHA512
e5379a525315f6519b9a84d22cbba74d3abf8519e417aade3596effa34702b10a21c46d07339712663b7bca32b3f94c875c23677954925184a090ee30df0c612

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6b98ffab5bd1bb84585a2c716cb57fef

SHA1
bcdc4b9f00abd3a8271ebe4a9e579e56d9592e5c

SHA256
b84439aa4c6d66a72a97c14dba1407865401050307a739d4aa5ef35d3619bf02

SHA512
170987df5f4c27094d34b0d883e5d00f537951599f63c1c24832abb94bf3040249bfe2ccb7cf49bdcbd5c3dd6edfa70f341bf01142af1ab271c6bab30a24bc45

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e6b1838a771f0dc3c075bdb557392a24

SHA1
3281a136bbc3e6313377dbf45b424942be648c1e

SHA256
b98a822058309ec8728b171ef932c89e42eb92b82b2a4118638a475d1cac2585

SHA512
70bb75d4fbf575505bba22e0c269c4a6f115f7334968ad9cf06123733e636cbb488b8b0dd7a8c0ff828c4766823859bcff7aa557e54e19f21732a19f6a8378a7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.1MB

MD5
e23a56dc8b1efad82d385a75a277087c

SHA1
e047ca6eb5b6cca92332a4e89e621607f2e65be0

SHA256
e23a289dbb195d12dd7e07ac42a74fbf50c5d9f894c3920acd70da0764f5da73

SHA512
f405787addb8bd0864fb62f0f3da89039cd720f262a71a43671d54e4304f9a097c09f7f399a06ecb3f401a5a4099d4094db77b1017c7705dde25454c38bea74d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7bdfae5bbfa04dc2a7b98d3e83f20b80

SHA1
b158e7f3eea3c342446e99ffae6c35304bbdd3a1

SHA256
390fc7b9a66c5690a41fcf842f478586f273d5ffe904952404b536cd4da2b8ae

SHA512
29569b05e134a47d0cc756849abb055ac672decb0fb69bbb9815bc29b68df93e85ed741587cf0c799b648c534447ae592afaebcb7f1b3d89f2ccc640f99f523d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dbb2aed5cceeac3af3250ef2d654a85b

SHA1
5dc14046ad4974984332e7c58779f9fc3d29c2a6

SHA256
15cb238440b1025ff998c6abffdab4bb9bd41508b483539d8b3574487708bc5d

SHA512
2ca66596ff6e32dcbae3a3f386679208fa7a28ff9c2212b0940a6b7e264a074414bc4fe5fd5908b3b741d608faf2e882222b6c6db937943f3c987b2e3b2b2698

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
32c2f36ded474af47662c92f54ad0347

SHA1
e66dd7d01cba0905a59e6b33bdabe7eecda97a35

SHA256
e58bf77fd1f36be6ebbe2ba190df36ce0be5231d589ba0f78d7634a20a69263b

SHA512
3cdfd995a8136b441e51c9162c751f56d932aef1c25faaeaf891f20ff4ec162ed96a4010ec044d9e62a234367a5dbd6e86eec3fb3b5a0e7415317c8435b0774d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f9ea40393e436db15ad7dfac0c472004

SHA1
36338598cf1d8156e0375c7d15554d3e79d8b22e

SHA256
c0375a7121b4454fe2534fdbb061444944d7e8493ecfbcd15bea50d3e8455b7b

SHA512
c969a19b662edc52993ff3bb1cb821da5b01f45b2c66794999dd34e89daf13da3656c6ee06fff75cf743fa0f915e2d77b3dba0b46954d6b48e35ba573aaf895e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2391cf1b22a00e3f7059bf3d03b7abcf

SHA1
d114a7185b0257ae49b0af9f2886327d172504b9

SHA256
c36e909192c0aa15b0d869b2ea52edbce53495c6d222a8ceec702f9c53b46080

SHA512
939c425966e9f28257b736ddf07e46dad7fd77ea3c263f98243617a7925eec98ea7cc6acaca84fe0a165d528d12ab72ddf2418329da5e5975d157b034b73768f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
857cc7aac8ac13c2980ea236bc4ea01b

SHA1
8c853b140af2c3eab541546b5313bd4b1f92be1b

SHA256
56246916d8e4b6bfb1ca044ef090ea31547897b547ba5cf914083902c5aab6cf

SHA512
4870ac1ba4e66ec5dba92b461b92af73112717392c8a82d84dba9d9db49011f8430332e1c410073a5d0c283721e8b09a7dff24f2aa18c184608565935ecd0fc0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
857cc7aac8ac13c2980ea236bc4ea01b

SHA1
8c853b140af2c3eab541546b5313bd4b1f92be1b

SHA256
56246916d8e4b6bfb1ca044ef090ea31547897b547ba5cf914083902c5aab6cf

SHA512
4870ac1ba4e66ec5dba92b461b92af73112717392c8a82d84dba9d9db49011f8430332e1c410073a5d0c283721e8b09a7dff24f2aa18c184608565935ecd0fc0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
43cb9943084420c206681f0f3db147fe

SHA1
980fad965f2f8bec97e94bd10e5268611c8ef57d

SHA256
00c19e92c45ed4199f4c9ecf43840f9376d420059873748709d8769131fdf547

SHA512
fc700bf8929573505fcfc335160725d6eda6f9b6821ce03549f47396723223d1876cd9ce990c4117615c3f18fa302f09acd9ea0f7232736a283a6c96304371a7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ce584f882fe033fa2f201272d8d3ea96

SHA1
7698b6a1a3bc727e7cc0e5af98d0aa75a99507c8

SHA256
8e4f5fb274feb5f30809942749ab69957e9ca9002ec7411092c722189a76d030

SHA512
b364bf1171fc9c317864ad650f6a62c429f9c63aef81d45579fe99372418be2ff4ed1ea08f6f82c6f7505dcc6e060fe37ffda0e638646d61fe29ec5bda9b5428

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
008665a885597b6c8638cc689e38417e

SHA1
1a39d28a3b31ada50ad2dcda6a841e7b210edc50

SHA256
374eb9e4f9220c17924f135a5193445939ce40514f4647b96402f5e6435fa931

SHA512
23b9eafb089284a8cac8e21e883f38e203cc7a41133307bdcaeccc009db7cb3b9864832d8933816cd04754d12f48b0cd41d84df0f4e672131023ec8fcd6656ae

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.2MB

MD5
d5702fd55cf6333516a66bae2f478274

SHA1
777cf79bd873375610b2d78c5f221cc478689d25

SHA256
52fb35bb4aa81f79de93e1f835b364f95a38bee7113b31b961961f5bdd1cb78d

SHA512
067d9b99172314b6b81bfbf4bc31d19733f817ce664a9e93e9f4df657a54dd3fcc7de9d468697491ac27499d1fe77eaee9a92962eebc4d68d05f8683bf519937

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
34f849d4443d07d16049c86c606f7bc4

SHA1
9e4751e532d40ce1d676a6626765a6a679d2504f

SHA256
b44f416a48464da7b10206d5d81c0697bbc884e9edb78b1e5d7ea48be7bc0f46

SHA512
b9be8aba1c219ca72a004e05566acbcf0d6b04fe30680250198e4b2ac7460d3b7a8ae0d22d173a51cd6d8532928c46796487aeba0da89dce6918f417042e3ac5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
741477c2b4f838fda2db301f89c08131

SHA1
0fa3fea0a1269fd4be2996a829783b3633737e94

SHA256
501be2e3590f9776f0321a800c605371c3d971ce5511bc1d8c3027c40319b78c

SHA512
4fde6b2aa3b793570dce48556cc789cfb869f22b9789a46aed3e6dc93b7aa0d7b69c0dc18887cdfc8a7bb96d125f0aa71ba342ee69697c6d61d01ee0225d188d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e031d96feb6bf5fec08bfb518699086f

SHA1
4a75645e7c3b9a9f668cd9e678fa1f2f34a5b9a5

SHA256
905ddc94b645384d399e18ae9fe72981d14e4409dc2185e0b95be6912f8eb751

SHA512
43bb41255f7c36b4c775fa467a02cfa6a12e79735396405f0cdb7dc8876a02f955a6251953fba3302e2b059a2fb704cb20fa0c9a0e2477dd68caa4e79e097b83

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fa157aefdc293bb05901db793567150a

SHA1
4c4f77edc519c414b489e7b3e19118dc864c09dd

SHA256
74d67f3f4fbba91eb38905029ea73229659d2c74ff542ab0ebf575fadf0c8db1

SHA512
a78dfdaf7eb32278214433b4a9c5d1775e1dfcd20bd14a0d70befccb3244e51a3571da5d5f50ecb91e9f2d36807587dac7d8f86a2a780c2a2aefd8bdc3598970

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ec8acc266f077b61aa7590e4162a79e1

SHA1
0b92b409d8bdd4c4a1d354aca617bbf4254eef4a

SHA256
c33cf2f29ac6bfa49ade9a18f27445b4dff1c597f5b27fce608d6263962bbee8

SHA512
5eb9518a44321044da270012d3351e298f7a563eb30367e551efd560e9a414e82d04cafeda139a238fbbd63ee29d7412675f7fbcf9326f89b0a09b916c950878

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8d67e17bf6c882d52128b452ec837e23

SHA1
ab870ff48e5e07b9732c5da160511e1b9904dea0

SHA256
b20bba661d5011fd130dfdc52d4e8dbc4919e504d13f96c899c2fdbd19dad19d

SHA512
202a6353631d95557b51a82831cba715301ffbeb91ccb0b734a2759f8e3fdb6c46dce61fe02dbd9dd66ea39d8d9cf1dc816afb00ea2aab0d2a449ac50ede8d94

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b747fd36bedf0c31e3e223578a799e25

SHA1
a6acac9489e866bab7335c70ed293ecdf49ad6b5

SHA256
fa571b6f3707aa3853feaa980787ac61ee537776d12a74998270d3feba3f0781

SHA512
d54adcb1d67a7f4e1fdd8357d406adcbef8d68cade10f80a15d105a07a9b0ef44963207ec1dfbbe52dd9631e2db4b2ca1d6b788303754518da62e933a6e10fff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
915953c31f4a40f307eed28480f34094

SHA1
2b884fc3a314acb07b7850d8eae0666ad74116a1

SHA256
e3c00c29aa9220eeac5c425168e47040e8269403b9cd3a9a8acd102cf3ac0a20

SHA512
3498b5db8d1bae5d303bd3191ac22196267fcab00d94372bfb1d956188dad99dbcc5b517f5af087fcd32160cb5680962ce2f578b0ae9f5a2863a384d1d92cc89

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
602e23d6b5be2aabbc5822f4bb88095c

SHA1
d5b84d49f963c74d473f91840906a1e63f6d632d

SHA256
6aa6d80cf5a897e3eb5eccf6c4fe6f892c0448c0d6f5f0ce96ea52dc6c9ef865

SHA512
15773c69b1190592c2b61ab6f1e4720a59040060055e6f2f10291a53d14db70a25ed5dd03543ec4af9cd44b3c42d9a9b6752788c3b6360fc81ffce944e71a33c

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.2MB

MD5
e458d9b43488d2eb18c77d657cb4ae95

SHA1
79d15dce10ea6fa9cb23691de22ceabe3d1ff4fa

SHA256
4b048380439b5837c109a52464376a2d415ca940b83be512fc1f5d6cb0b4364e

SHA512
40d22e11237742d26e3be7f8bfb06f574410059af879a23ec8a13d5232b872aea76a87df6a2507418be59b17d620a02f6e34f13567361820410065cede93d298

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d92b4096818f74b05db94e6dbe116ca0

SHA1
b2e6789f607dfdadfd797e3f559d43c647ce1199

SHA256
4fa6435ee7c327acc9f48ddce193201ea89977346f7a1c3920582ed632129f5e

SHA512
cf8d113fdc716d6af6ccfb9628847570c7fa1ca358411ad55747676617adad9e3821b1fd157a581b786481ed83c820c042b96d90b95ecea03bbc50e7b4fe1d69

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.2MB

MD5
2443efd0902e464542d03507c7eb4f02

SHA1
eabf61fad9e718de12b8ced29cfae3752b82b013

SHA256
038f64331e383ae604f349eb28c0ef8082917a3337c884a576040e3f4232f7df

SHA512
c8de5b22277dcbdfdadeaef14f5b82e28f6a01c8becfe1f146e3b5686a7909e18b4c0bb188c057c177ef9b5e599481f9023890ff5f1f72af68e307da642230b9

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f9ea40393e436db15ad7dfac0c472004

SHA1
36338598cf1d8156e0375c7d15554d3e79d8b22e

SHA256
c0375a7121b4454fe2534fdbb061444944d7e8493ecfbcd15bea50d3e8455b7b

SHA512
c969a19b662edc52993ff3bb1cb821da5b01f45b2c66794999dd34e89daf13da3656c6ee06fff75cf743fa0f915e2d77b3dba0b46954d6b48e35ba573aaf895e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a7ba91283366623f2fee8d5f424e8afc

SHA1
ed170783cd3ac9901f3dba76d9d5bbb6672499fa

SHA256
8ba9bdeb7b81606b95855eca0e313f9138b874bb80ffbbc97028756173c477d0

SHA512
569228a6386b56ed175602e887d7c401e6e6feecce622f2e707d10bf225f492677eb19632109b91963e59e880a115bad6eae01100f0992463d2569312d03de3d

Download Submit
C:\odt\office2016setup.exe

Filesize
1.1MB

MD5
fbf536d956d83122ab7ce8e8dd656b6c

SHA1
fdf748ff8a7b898b3f54fc7563ba941a83466845

SHA256
ee6a279dcbee0c00fe5ac2bd95a4ec9cca8c3778c49991c0394fe26af4ac801c

SHA512
8b0c4aeedf76d61ec3bf655da44714b4eaa660e9ef3516806aa1336d99ac90be4aa465ecf142f6e3357fc24af8041213792e07ddf527f396f799c6b8bbd6ec00

Download Submit
memory/364-385-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/364-217-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/364-223-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/364-226-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/364-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/364-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/372-259-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/404-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/760-605-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/760-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1128-133-0x0000000000BB0000-0x0000000000D4C000-memory.dmp

Filesize
1.6MB

Download
memory/1128-139-0x00000000093C0000-0x000000000945C000-memory.dmp

Filesize
624KB

Download
memory/1128-138-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/1128-137-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1128-136-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/1128-135-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/1128-134-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/1368-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1368-163-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1368-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1496-199-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1496-181-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1496-201-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1496-187-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1508-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1508-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1932-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1932-524-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1932-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1932-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1976-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1976-232-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2284-169-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2284-459-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2284-177-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2284-176-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2292-261-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2292-550-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2660-334-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3068-587-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3068-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3640-144-0x00000000031B0000-0x0000000003216000-memory.dmp

Filesize
408KB

Download
memory/3640-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3640-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3640-404-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3640-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3640-149-0x00000000031B0000-0x0000000003216000-memory.dmp

Filesize
408KB

Download
memory/3652-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3652-460-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3652-198-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3652-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3716-562-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3716-281-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3768-197-0x0000000000E00000-0x0000000000E66000-memory.dmp

Filesize
408KB

Download
memory/3800-279-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3956-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4104-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4104-604-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4156-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4156-554-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-667-0x0000028D269C0000-0x0000028D269D0000-memory.dmp

Filesize
64KB

Download
memory/4888-674-0x0000028D269C0000-0x0000028D269D0000-memory.dmp

Filesize
64KB

Download
memory/4888-673-0x0000028D269C0000-0x0000028D269D0000-memory.dmp

Filesize
64KB

Download
memory/4888-672-0x0000028D26930000-0x0000028D26940000-memory.dmp

Filesize
64KB

Download
memory/4888-671-0x0000028D26910000-0x0000028D26911000-memory.dmp

Filesize
4KB

Download
memory/4888-666-0x0000028D269C0000-0x0000028D269D0000-memory.dmp

Filesize
64KB

Download
memory/4888-642-0x0000028D26930000-0x0000028D26940000-memory.dmp

Filesize
64KB

Download
memory/4888-641-0x0000028D26910000-0x0000028D26911000-memory.dmp

Filesize
4KB

Download
memory/4900-355-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5032-405-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5032-617-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download