blustealer | f101138228ca15bebf19e1802f716601ed0094373bac649e9e0d9f1bfb2e74c3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Size

1.5MB
MD5

76a953005611843cca8ba94dc2ffbfcf
SHA1

af634f838961dbeb328c9fb09ab23cb1aca2affe
SHA256

8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135
SHA512

06095412d5fe83e4741ab31a4fe890283c0b8b659ea7fc2289dc52e1ed2c07cd8619e8fdbc9368a4980c6e8b43161472d55d96552df2b57759e84c9a85a16a3b
SSDEEP

24576:8r1voTP6JZs4KoxhV2EiP0Av/1IZwA7dTej7Tz5IDuvkuwV7GkeoAu2j7NiznXBy:8r1voTP67sJoxTiP00/OH1eHVSJXT281

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
5024	alg.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4252	fxssvc.exe
1300	elevation_service.exe
116	elevation_service.exe
2732	maintenanceservice.exe
3304	msdtc.exe
2000	OSE.EXE
4068	PerceptionSimulationService.exe
3040	perfhost.exe
1624	locator.exe
1608	SensorDataService.exe
3568	snmptrap.exe
4284	spectrum.exe
2700	ssh-agent.exe
1944	TieringEngineService.exe
5100	AgentService.exe
4912	vds.exe
4640	vssvc.exe
4180	wbengine.exe
4956	WmiApSrv.exe
4480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f32dba44c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\locator.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\alg.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\System32\vds.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 5072 set thread context of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ed5c0f56d71d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eacfc3f76d71d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d39b6bf76d71d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053711bf66d71d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d49e68f56d71d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022ed3bf76d71d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeAuditPrivilege	4252	fxssvc.exe
Token: SeRestorePrivilege	1944	TieringEngineService.exe
Token: SeManageVolumePrivilege	1944	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5100	AgentService.exe
Token: SeBackupPrivilege	4640	vssvc.exe
Token: SeRestorePrivilege	4640	vssvc.exe
Token: SeAuditPrivilege	4640	vssvc.exe
Token: SeBackupPrivilege	4180	wbengine.exe
Token: SeRestorePrivilege	4180	wbengine.exe
Token: SeSecurityPrivilege	4180	wbengine.exe
Token: 33	4480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4480	SearchIndexer.exe
Token: SeDebugPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
Token: SeDebugPrivilege	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 4108 wrote to memory of 5072	4108	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	85
PID 5072 wrote to memory of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90
PID 5072 wrote to memory of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90
PID 5072 wrote to memory of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90
PID 5072 wrote to memory of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90
PID 5072 wrote to memory of 2012	5072	8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe	90
PID 4480 wrote to memory of 4792	4480	SearchIndexer.exe	113
PID 4480 wrote to memory of 4792	4480	SearchIndexer.exe	113
PID 4480 wrote to memory of 4412	4480	SearchIndexer.exe	114
PID 4480 wrote to memory of 4412	4480	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
"C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe
  "C:\Users\Admin\AppData\Local\Temp\8673653b4e2feb2342836fa526e90d2412ff6f61d77e693efb0172827f45c135.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:892

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3304

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4748

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e8c1300ec73e78ce79b936ee888c5664

SHA1
5384b98e83b9bf273414cdfc9856eb8b1b4b87b5

SHA256
275f4445ab8d6b70dc5ec338211a66342aae491e0d928816364cb7acdb9a5abf

SHA512
a212ec5b799fd8bc65a604e972fe667e1d779f4bd8b99803c8fd83f1254d598f9c7a1b37c5f0bb4dda028fd06a404bb01eea4b78b3a9c96da9d9e2718037b730

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0a571e042459a8fe7b7474c9e06cae62

SHA1
a36b44cf14be09a23b775578da6873d29291db7e

SHA256
d5c9f794a78bdbaf9c9d67f2b4114670867b9d8d43931b44a9aeb2ce32b8ab06

SHA512
1da78fd9b9ac986b61a847c9adcab628cc4d20a738e5ad636a662ecb3d28f4a0620c7b517b839fa9acdd8e02cd4c9b15a4e240e8f60369e3b5cef7e8409deebb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
db69b98483b3110323c68579cdb8ec01

SHA1
faa6f8e71a5dc2a570d4c74ab9f28e44f3cc8f8b

SHA256
d4b75f131dc62d4cd7b42012d96273edaf859ee399ab71ffa13427ed4bc02016

SHA512
deb0d72f5a4999b46abad308acf6e81b8df900a799801468d5ced5b8d7bdb048378b24c914660852b23f6dcadc9067877e17ff399e978b79bc529c1da6161ac5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
da605dc35bfb3175fb3c000b24efb43a

SHA1
ae5a06a2333c53e8bbbbc32f4e645ae6da8415a8

SHA256
50eb837d540d5407674d5c2ee3cf64dc688a7df4c56ceedc9870e95f3779b8d2

SHA512
7cbfbfcc11a42e5ee67e10ba644f91ddb3721c3fcd054c66f732c82bb1cd3b1ed3860a31b3b20f96b80b4f8daaace73a5de98e58962271031d7248eb8a64fe99

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d8280a98c7d69a2f971732aad14b71a

SHA1
bcf3cacfd2134e3788d5beed9b5873c6b3d781d5

SHA256
141ab37df66735d786705a5bdd1510fc3ea1fd3aed1acc6ec6085263fefdb346

SHA512
82b88063112beb7acc18ab7ddfa85c3841b0c7d38829f481874d38d7218266a2cc2b7f99f5e759da2648065262ae05b36a142c4ad1ef7e1469547e9b736a82f5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
74c6ce611e351fc375e8be6fa7ae4364

SHA1
505f88466026a35c9d73febf96f8f35900b6799b

SHA256
cd277f0585d7615f83549246e850877caa33edab04ef46d3df185338a96694a6

SHA512
e6e0d19b6e3f494d6728b827b96bed05fbf0a99df0e04757b3785e4b44c3264d9d642f2c0c5b162a7c423267d12d869838659f035ddd2e0cb23a6c6b6bd1fd6b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
814b6447e565478376718c12093354a8

SHA1
8aba9c0ab0f23d52999993e1578a14cc03f7758a

SHA256
7524cf33a809c7b2cda395453e9f18f80094b0d369814cc39b20a613c3a0ee8f

SHA512
5b6b6b71de38cf0466985d1dd0aa478b5aead7096cd234253affa84966daa57e0087825b7f256f1ae08307c1cd35776af46ba91b6ca4578fd112ff2d4ce98a97

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
81f4ee2bb59e819f2aa065713e97af29

SHA1
519717eff62efc316e3c4df457afd5f776a02bcf

SHA256
8b262a3d28a7c60b35decbdf5dd2dc594241ecbb04a7000fb18cb1fd11ed6326

SHA512
2f7abbec0503d1a342a737a836950ed9a5737f44ea6319b915cf8a0be9bb7a3848d75cdbe568778de38fd8778067fd9958c97f1b1e95423cff2fb691fab10919

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7ccb34a72e5ad5711786769cfd6182fc

SHA1
b47e7495e28ea155cd9361457774ca94311f782c

SHA256
170a07cd61d75ae2559f0658fc2b6a95c4deaa5272d36904a177de71dec67d7b

SHA512
f52e2be67ea56a357163d2851afa3bf66d105c560637ef810578beba8c8ff18540b6fa7521f99cd51e4d5c5afc7ad8c789ed970027e1ab974528006ff8e0a2ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
aabd1c4521f2099cfe355970007a9b9c

SHA1
bb1609de3c512f550ae034f611d6af2477ce8873

SHA256
eec85c5e54740c540b0ee4fd6282cebf59c94d22d0e3275f1e7c93bce5495965

SHA512
bf3b001e98ff593e1a66c1b24762016bbe90812535d108acfcac01b366a6a9b7372831f435393f9d3f76e8c3a1676a751af97d0fefab0209da3f20d103e613c3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
aabd1c4521f2099cfe355970007a9b9c

SHA1
bb1609de3c512f550ae034f611d6af2477ce8873

SHA256
eec85c5e54740c540b0ee4fd6282cebf59c94d22d0e3275f1e7c93bce5495965

SHA512
bf3b001e98ff593e1a66c1b24762016bbe90812535d108acfcac01b366a6a9b7372831f435393f9d3f76e8c3a1676a751af97d0fefab0209da3f20d103e613c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7a101ab728e1fbaff4042698aaa574df

SHA1
e5335b9908a178a42444f7949bec54676bb2dea0

SHA256
1cb7e5b1d54d6507015b6aab8805db9d49dcf4ca62014af643bbb5d8bf9f9172

SHA512
a40f53aa7d6acc23095c2b72ce048ef09e5f52f627642a4e95ba110cfc8c58d473eb99354de4bdd081f8f7a33e35e4ec83cab9572421aec1b89cf92e8425506e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bc0b4a6b9d451a68dd52ccf0fba346dc

SHA1
1245c3dc77dd71a7168d047c9f192078a04478d6

SHA256
f12f8ac6769285bbbc096bb6200edceea7ad237cea0549e2bb5d6db5994a8d94

SHA512
892273197745dfe715d953c31f8b0c2365eea64438134b1ef776f32eab635c87ba8808113aac2d072c9b711a045dca5d53ee2b677fe01778c9cd173dd8f608ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f96244340a87593bf440ad9705caa146

SHA1
7c74a3c69e75e7e86bf1f66557f791c6c69081ab

SHA256
0318fe1d6704ffc7e9898cac1e95ac799ab92e1ffa011c7c341af67e56775c5f

SHA512
04f4869654eb8a78f34aaf41c30e35c55943298fdf9d7f0b20200c7cb2d296ee4642e3470e829e8018e32ed6753f4fdbb26e4e3e3f02e58d4f705d35a4fdf805

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4334de465f530c75fd33ca4a87d13031

SHA1
31d6f9f07eca3b5957b7e6a43569eb14ce93a29a

SHA256
1c45f1d55c78213a456f94e14738ce02e0d11f815e30767052d2910037388ebb

SHA512
7002d5e3e6d82000f1c8c1c2aa6a38994223a552b28b7647ee26335493ea6f8a8e981dea24f9df9826b7c56986c3dbafdd8b7a49efea864591f963fa3b95c302

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
529982efb549e88815f4f57ea0bfa9e1

SHA1
e18477848b0ec1a1c6b55091e6decf71c96e9944

SHA256
89e3afc9667530bfbb5bdfd2febd9cb5dcdb1fd1696c58668925e24f8cd28d86

SHA512
ddd56fe8a42be4fae4f9a87c8b4ac551288da0198c41a4bde51d00727b61fbf1f8c59d18fc2e6a71bbf2ebad20041470583299c6493647fa00e2cf09c0890161

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8752fd60fedf4c99a7aec044802bfc0e

SHA1
e27d5ab9dcfde8c61e27d038a5def91887056618

SHA256
c450541cd903f4ff0dd7699dc99e3885e4b877e71e1f82422def692b9c38c54c

SHA512
6ebd10698eba03adb1785595ede95a07ec229699a647a9aa640d6ef06ac28712e10f5a521441037acf35f2869c0f2549b260d4f13e3ff54cabc07203952dc2eb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
68ccdb31edbb5a595bfaa3c93ac29b82

SHA1
e81100d0e4a46679ba5b6b335750868f48c69625

SHA256
5d621d4623a1e806272b50ee68ad93a91795387272efccd477680d7785caaaa8

SHA512
908195ba4f29fa79360a904f34bd4f2d5a49a81e3281c798dc2c786e8fc16746ff33e5fada76160fdc42e0a2ad8510682b2075aef3195651a2a014cdddf9482d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9dddf69ed6a4fdafe5db3dde22d4ff16

SHA1
1840bd2eee64efaec165531e35dae0ab5473a21a

SHA256
983585cca035be9d4f04ac092dc8e2d298a2f1a9fbfa50aa340b922b9e3a1134

SHA512
ecdef086d5dcfac27c98bec5a9d3a3797d410fa58592f2a4d5b3d3f6f8bdc08ce2c5c2f4649f73d900cd8ee7683a475bab80d0ca92dcfb0c4b3f6ec9ce4794bb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
565678de22fb0e6ceccae4a4b124a96d

SHA1
924a215ef70504fdca8f919c5fa37f2eca97143e

SHA256
52fbeb55f19cd13a8602a465c4e65fc0821c91ba5b622d2c3f70c568cd310ffc

SHA512
a23f5b60a5d04c5848986a7fcfc7f07183b853cf671b0406b6687b81d71e1afcc3fe04ee0e37fcae30b48c46f58ac56accba0a666da1dd67a9fba62d8667d702

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a2750ac48a89b74f76084749017f64b

SHA1
6512bf32fb424c54d5460057844243709753f2af

SHA256
740998a870fe453fe9fa460f2370bc8cbd77ff3c4cd23815123de35a6d7ce546

SHA512
4f06af3e40187188e0d604d3660b2aa188ed826ff109897d76bf4a99510453be051073faabf2e6c28d9067f346282a08699ac23f6404a5bc757b3f29c05ad920

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d94470aee7250ce61d6539b83b24af0e

SHA1
c5e58b3d847845d1a7e089a4b88fba1617a766f8

SHA256
f6acbc6707ff2709d8b691cd9d496a8f0ee21dde32245f891aa46bab06c8e7de

SHA512
ee270f5c9233ba64e48fe65a896a0ed1ea0e25cfa4799957071e85f39ddd3209a5aa4ff77cc7558fafc083fc86f3bf09c676368dfb5c671d06e9ca0136645afb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c6e677383571a9d83a9102d8e6702df2

SHA1
5435f9a7b0502fdb4242403da7555a395156bec7

SHA256
fba618bc6dc8877030677da95e200142f890201717312ee418e6017dfc2cdf3b

SHA512
1ed2ff4ed4e042b7a25496ea9cfc9eecbddab305ac785943be9aa89886b7855742b2dcc8b0b9eb9875316286c5e0c13e5ad5adf44283d044c383b494f1838d05

Download Submit
memory/116-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/116-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/116-264-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/116-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1300-263-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1300-202-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/1300-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1300-195-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/1608-582-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1608-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1624-597-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1624-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1944-366-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2000-249-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2012-189-0x0000000000B40000-0x0000000000BA6000-memory.dmp

Filesize
408KB

Download
memory/2700-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2700-615-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2732-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2732-217-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2732-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2732-223-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3040-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3304-232-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3304-247-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3568-320-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3568-603-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4068-288-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4108-135-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/4108-138-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4108-139-0x0000000006EB0000-0x0000000006F4C000-memory.dmp

Filesize
624KB

Download
memory/4108-133-0x0000000000DE0000-0x0000000000F62000-memory.dmp

Filesize
1.5MB

Download
memory/4108-134-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4108-137-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4108-136-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/4180-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4252-192-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4252-187-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4252-181-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4252-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4284-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-614-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4412-666-0x000002B5D6D40000-0x000002B5D6D50000-memory.dmp

Filesize
64KB

Download
memory/4412-705-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-748-0x000002B5D6C40000-0x000002B5D6D40000-memory.dmp

Filesize
1024KB

Download
memory/4412-747-0x000002B5D6C20000-0x000002B5D6C21000-memory.dmp

Filesize
4KB

Download
memory/4412-741-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-744-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-746-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-745-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-743-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-742-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-708-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-707-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-706-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-688-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-687-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-686-0x000002B5D7090000-0x000002B5D70A0000-memory.dmp

Filesize
64KB

Download
memory/4412-669-0x000002B5D6D40000-0x000002B5D6D50000-memory.dmp

Filesize
64KB

Download
memory/4412-668-0x000002B5D6D40000-0x000002B5D6D50000-memory.dmp

Filesize
64KB

Download
memory/4412-667-0x000002B5D6D40000-0x000002B5D6D50000-memory.dmp

Filesize
64KB

Download
memory/4412-665-0x000002B5D6C40000-0x000002B5D6D40000-memory.dmp

Filesize
1024KB

Download
memory/4412-663-0x000002B5D6C10000-0x000002B5D6C20000-memory.dmp

Filesize
64KB

Download
memory/4412-664-0x000002B5D6C20000-0x000002B5D6C21000-memory.dmp

Filesize
4KB

Download
memory/4480-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4480-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4640-388-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4640-623-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4696-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4696-176-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4696-170-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4912-387-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-411-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4956-624-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5024-163-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5024-253-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5024-156-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5024-164-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5072-161-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5072-252-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5072-149-0x0000000002D30000-0x0000000002D96000-memory.dmp

Filesize
408KB

Download
memory/5072-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5072-144-0x0000000002D30000-0x0000000002D96000-memory.dmp

Filesize
408KB

Download
memory/5072-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5100-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download