blustealer | 85025d82417b78241eb3e406ed633597911e1b73ae5f712f03ee18f60b16324b

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Size

1.5MB
MD5

13dc441ec2f9e3f9aa1f354a4b14d318
SHA1

05b62c596ca78745d73514cd5d43434929955863
SHA256

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c
SHA512

30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242
SSDEEP

24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1404	alg.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
5004	fxssvc.exe
3872	elevation_service.exe
2272	elevation_service.exe
4996	maintenanceservice.exe
2248	msdtc.exe
3092	OSE.EXE
2864	PerceptionSimulationService.exe
2152	perfhost.exe
3200	locator.exe
5092	SensorDataService.exe
1600	snmptrap.exe
3624	spectrum.exe
5080	ssh-agent.exe
2784	TieringEngineService.exe
4068	AgentService.exe
740	vds.exe
3356	vssvc.exe
2220	wbengine.exe
3296	WmiApSrv.exe
4260	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8a2c118150d0d086.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\vds.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\locator.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 4868 set thread context of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bfcb194c97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009421f794c97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020879c94c97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042523397c97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ae13995c97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014ace194c97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2b08494c97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e84496c97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeAuditPrivilege	5004	fxssvc.exe
Token: SeRestorePrivilege	2784	TieringEngineService.exe
Token: SeManageVolumePrivilege	2784	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4068	AgentService.exe
Token: SeBackupPrivilege	3356	vssvc.exe
Token: SeRestorePrivilege	3356	vssvc.exe
Token: SeAuditPrivilege	3356	vssvc.exe
Token: SeBackupPrivilege	2220	wbengine.exe
Token: SeRestorePrivilege	2220	wbengine.exe
Token: SeSecurityPrivilege	2220	wbengine.exe
Token: 33	4260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4260	SearchIndexer.exe
Token: SeDebugPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeDebugPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeDebugPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeDebugPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeDebugPrivilege	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 3924 wrote to memory of 4868	3924	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	88
PID 4868 wrote to memory of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95
PID 4868 wrote to memory of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95
PID 4868 wrote to memory of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95
PID 4868 wrote to memory of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95
PID 4868 wrote to memory of 3744	4868	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	95
PID 4260 wrote to memory of 2696	4260	SearchIndexer.exe	116
PID 4260 wrote to memory of 2696	4260	SearchIndexer.exe	116
PID 4260 wrote to memory of 3828	4260	SearchIndexer.exe	117
PID 4260 wrote to memory of 3828	4260	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
"C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
  "C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
330ca0e2c81ee3f7b8e089587eecdb66

SHA1
0a1f18093709c6fff628dc6299e1eb1c320d058f

SHA256
41f7156582e2d7bd18b1d96835c7109eceb06f6b3df6036dc533f5103abcecd3

SHA512
6f31f8fb98efcd26e909aab19d6b6a4a343ce30bcc161ee2f99dd034cddf68a5bc34b417ed5a7ecc0c2a3a6f04671a99cf95ed346fafb521da361a428a91892f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
554ba6036d2740bcdf1695afeb94f62e

SHA1
192805086fda89672c982c1d72862a21161e9aaa

SHA256
7ac631d2e93f8c8d9d31344141fd16fb99e5cb984054f744488cc10a0e3caf88

SHA512
d9684faf700c29aaaceeb932f86b489a45d39ddadcdb99d238b0c3807bc22213fb27a8df938b988f8a062683e0193f80e1361f53f80f507e66461a4674fa788d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7321be1b5c0f4f57cef22b90a108eee3

SHA1
871a25b0a0bc1e01219617e4489da02a6468e70c

SHA256
f9d6fa2ed02228c820224a8fa96eebc07d4b020094d39f01ad54c01cfd7c63bc

SHA512
60fad0ba42c07d3975ffd51afbb4ea26218d46b9eb5a0832c311c9425194123598e15afb2c3199d4dbc561121dfa2053319a5aa42f940dcafca9da41dcd61db5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d2bfea666eee1418778946c4228f0ddd

SHA1
6b3a855efca34fd611404e356a95afb035d13ec9

SHA256
9c58b8927b7172f3548dfbe4e3482261eb4c97808bcefeb0e88b0d7db59615d8

SHA512
dc7c0130e1df2a1ba9fe08190ae1d6c1da008fa03a1b0db6eb3e5b0b0f34fc8e0159498be1dff2b31d460edb8e60c05cd6fd7bf35ddf86867641a49703b0cd49

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d5f63b3aa08d8982d24c2358e958ac88

SHA1
e7f3c785ce4d439caad8fb8c1a241a9c5a34f07d

SHA256
4d272366924db30d0bb919170cf8a7cf34fa257542e34a9aff098d661e0e10ca

SHA512
e85b58116e0afcc4ba86d4c253221fa33e4780c7ac398770f78649eca126988d85e144da78e0249bc6b49a7375e9a4c9a2a31e40161bc44b9b3253f4eb659704

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d32dbb253baeaebec17a5ac36f80af83

SHA1
55036717a1fb2c0162490504c71c8f9fa62b3d1c

SHA256
06c079f7ad6068b2368d681e852c82e6edbd53e27aa492de68b27cc68253129e

SHA512
c1230d8974def34d2a125682ea941a7e879f220af308016ccf241ee310fb8082dc2daebd024b1129263ce22f6d8a8d47ab2564a9f0bf820c8549815d05387f53

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0438bb0f53f793925f9966757f9dda19

SHA1
143de9b48d68e4ead0ff9b80d64ec90f37bdab66

SHA256
3c12b14d70e83d1bb282bcfcc55ad23ae2373df7885447f8aa4e7392e612e2f9

SHA512
87bdfd3f48932811469165c36cd330297ae5e2ee53c1ec654c68051f31695b8fdb46db14ffbc03f777dbe8ac13e2a346422b43e02bdb4466760f31f323048298

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3f216a5b8b4ce4ccab33a49680ec88ba

SHA1
1ac7698bea8672f7b23e958d71360b39200ff79b

SHA256
640d04020025f892eea247d36fa04981baae4a7f9f17d432da4b5509088d259a

SHA512
cef789c03f8885639268945c6e4c7b760ffe85475f07661b5761857dd2bef255603a7a1dedbf7dca8fd68f1b42c874bc56e859706017b67b014915950151182c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dfd36e37f7ea76f6d1634eaf911db82e

SHA1
930d15f4853446dcdaaa45774c21ac80857b4b66

SHA256
879843b21774ed77af903cdd3f5c5bd992c540db2d41d73dd40d8f2e14b2fef6

SHA512
4910708a9c9fb9db2ab943dec64813478409fe4ee8d8ea033653d74af0c26aba054f9d921fe677ab878856e1e2c126cebe81b777027e3639c69e8c26da834f58

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
36e303321ff2ab94f3dff94ed52892a1

SHA1
993c1a47ca6f202108d739ae572afb150e36bf64

SHA256
dd08eab087934ea5ed1c62ffbdfde75a0ac480b5e1eb37f0bab961de10eac81b

SHA512
509331256e40ba99f16c912a4f9edc915cccfe1fd5d005e41d8b04e6873b6abdbb806a4b87aa069e5b5515bffd48fdbb5e6463a1f155a89a8fe15aec4e42dcec

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
36e303321ff2ab94f3dff94ed52892a1

SHA1
993c1a47ca6f202108d739ae572afb150e36bf64

SHA256
dd08eab087934ea5ed1c62ffbdfde75a0ac480b5e1eb37f0bab961de10eac81b

SHA512
509331256e40ba99f16c912a4f9edc915cccfe1fd5d005e41d8b04e6873b6abdbb806a4b87aa069e5b5515bffd48fdbb5e6463a1f155a89a8fe15aec4e42dcec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
980ccc5055a4fd35e55a1844103515f6

SHA1
a5b7fe74d02b89e6b42e86f3127f1161f7664002

SHA256
87cfa395cb0e32e76e7545edfe3f472de523f190b857b7265376f1b9de6313fd

SHA512
f7d1260078e972cec8ad88ae3347219527d06870d70305558989b7ba5d609da5d8be09d6f85ff49e617409b88c62a1fdad2da665140279d188f7dd9edd232d72

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8cd32c2ff3fcdbacd4201abeb7f69541

SHA1
cf74e5a82af23aad88cf8c88d5434643d5597a21

SHA256
a09b5eae0b2d4f5b9612a63e24c019d0f9d4c805229780c16d3441bee4d55906

SHA512
c753e359b70e6c7a0bdab36c794f25558bada44c9b6690f78c41be4eb63c605bb6fdf423f97f7a0a3ef22cd4e580a4967483fcbe9f42598ba688d5814251ae63

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3dd4809a195b94fb895cc8e2c77180b7

SHA1
35099567aed979f1ce54372dcd5bad08d559c57f

SHA256
9d565b6b023a5ac2aac883e260a8c4903d715c756970bcd89b864dece498304b

SHA512
7af47603c90a6da5566e922507da9ee9be568322137fc59e452ec8fcf07da8410b99de0a48502197db997155ef451fd28bc72ffd11fe3b351a8c45b2ab6cc151

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf4b1012acd491d4e24aa5952648a48f

SHA1
45b5d2349fcd521d046016775111295f55c376f0

SHA256
92374e0ada37debea9e7585a3941c8aa94ecfbcd48cd4818a99a8cc8bd871346

SHA512
25b30866d893f6957f837287e92875c35ae38991576d7777803fa85dfb8b5d124996fe8e41b26fa7c22ee38e7401f85ae747eb0296ee6f8ed1ba3f0406a4bf95

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1074e20d6c4b51323feba282013faa74

SHA1
f7f604c7c3808deeba867dc08f768fa2b63230f9

SHA256
6f9d6c3055932a84efa8ccb3cd4feac98aa248373565e432e405f81fdc1d2925

SHA512
b28899539f8e8d2f3a9ba9e6ff09efa076603d29fa3969d7521713a729e5081733e0fb25f9b18210b3f8fe093f62288f50160bb10b5ef64417cf1843eaa32819

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
55557e859ab5fbdbcb20d5a09c846fe4

SHA1
449adcf29df172569b9f43ea2fe48cab9bc3184d

SHA256
14cdb15e4b930fd8d2359caf20185bd536b8c4fde8977624c280ad95fe456d4e

SHA512
416afee3f52c6c86690e77137c4db1468de38fb080681652c1bdd796a4b079a17e51a4f8f59effafdaa1ad1c18c8f2cd3db7cf80243a06d0fb6ac584c19a946c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1dfe40adc40f9272fccd69ac1f380aa1

SHA1
df022cc632bab75ea9d40233f47bd83dee704b84

SHA256
fc06a0a143ca6f03ffe11198d4223a9ed93f9b604a7333e09b562cb1cb18e593

SHA512
0d829b48002c6b4732d36460b54e6800b61a9a86ce0266c4afd9bf66e4f883cd8c00cf94ad9c5efac2d0a4b1b157ea6f84dc06acc14adf6153f8b9035007f112

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4058a6e3c026e025768a0da2e16791ca

SHA1
2df078bcb3db0bded503ca1895846a53b5b6fec7

SHA256
f2fe6ae9c6097af59ce6a8c51398e95999ad3a6a82ade69cd7bf58ccead149dc

SHA512
6377340747044a45649067e984723d3b345a7fc95c8dfd914a93b05be27e5ce1a3a56c6e4b09fec6259750981b9fec78199016cdc01b3eed0c9a5005647a8d31

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cf82c339ace52683d7ad9ca60ecc9bb6

SHA1
db4adf1701d532153148fb9a1d7e97164364f5a5

SHA256
d650687e906f5d2764881a5183bb58a86d50b7b2661b5d4b465e69948cf93ca4

SHA512
fb51afdadd1b1e7bc786d3a2050edd5509f45a0876ecd79c2fb32de5f15febc47ea71e5f91de56a862884444edb3573ad893b0c3fb4276863cc1afd633882432

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b97ba4d6ea85858e6fc581bf58f3590d

SHA1
0b6f8691cea62a2dda874130504e892e34c249d3

SHA256
b845503d235e384e7dfebd3dacffa10dacfe5ab1408c4a8ff827d159acbcce32

SHA512
1b630502433e9a199ea2d9f7f630ee9f799248e5166f5c53ed4eb62ccfb66e70824ad268dfe12aa34341fdb34a8f9f3c942e73ba265a32525869091f268d97ec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
013d4376d98fb085e5bd6df287b836f0

SHA1
ff41c41efb1bb7d7ba914c34401f848ad4680a87

SHA256
1ae58662dcd4b11c8e0d4c26dedddf59e20ee67c4035cefc6fc54a5551c1c3a5

SHA512
a89648f3d52146a30fd9ea7bc1fca05a73329c327cd15d276aac21b3b2fc7170c74ca764fad806ca965cf89e6cc02f0b4bb27bdf79091fb7d3382fddea5414bb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
326853fae9f3c1be9e2554833869f856

SHA1
7d5f7929a8196744d84623f14e9289fdd212b99f

SHA256
3703bf7e439971fbf38090885bb4e499693f888fd8069a657333c1d440c8ad6b

SHA512
e4d6f14dee35178c53e24c8a5d5051c4d1b42d7e4dbaa641e3ca6bc656a776aac8584912e819bb49c05f976cd5dae7e7a0d16ccc5167af262d0998ea0904051e

Download Submit
memory/740-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/740-595-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1404-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1404-157-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1404-163-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1600-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2152-283-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2220-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2248-234-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/2248-243-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2272-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2272-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2272-486-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2272-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2784-588-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2784-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2864-281-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3092-278-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3200-561-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3200-286-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3296-433-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3296-605-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3356-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3624-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3628-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3628-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/3628-192-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3744-215-0x00000000005E0000-0x0000000000646000-memory.dmp

Filesize
408KB

Download
memory/3828-714-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-730-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-727-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-725-0x000001D2FC7A0000-0x000001D2FC7B0000-memory.dmp

Filesize
64KB

Download
memory/3828-733-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-732-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-720-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-719-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-728-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-729-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-718-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-645-0x000001D2FC780000-0x000001D2FC790000-memory.dmp

Filesize
64KB

Download
memory/3828-717-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-716-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-715-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3828-646-0x000001D2FC7A0000-0x000001D2FC7B0000-memory.dmp

Filesize
64KB

Download
memory/3828-713-0x000001D2FC7B0000-0x000001D2FC7C0000-memory.dmp

Filesize
64KB

Download
memory/3828-654-0x000001D2FC7B0000-0x000001D2FC7C0000-memory.dmp

Filesize
64KB

Download
memory/3828-653-0x000001D2FC7B0000-0x000001D2FC7C0000-memory.dmp

Filesize
64KB

Download
memory/3828-731-0x000001D2FC8A0000-0x000001D2FC8B0000-memory.dmp

Filesize
64KB

Download
memory/3872-482-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3872-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3872-199-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3872-190-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3924-137-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3924-138-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3924-136-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/3924-133-0x00000000000D0000-0x0000000000258000-memory.dmp

Filesize
1.5MB

Download
memory/3924-135-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/3924-134-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/3924-139-0x0000000006BA0000-0x0000000006C3C000-memory.dmp

Filesize
624KB

Download
memory/4068-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4260-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4260-606-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4868-150-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4868-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4868-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4868-144-0x0000000002FB0000-0x0000000003016000-memory.dmp

Filesize
408KB

Download
memory/4868-430-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4868-149-0x0000000002FB0000-0x0000000003016000-memory.dmp

Filesize
408KB

Download
memory/4996-217-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4996-228-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4996-225-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4996-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4996-220-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5004-180-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5004-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5004-201-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5004-206-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5004-186-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5080-341-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5092-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download