blustealer | 85025d82417b78241eb3e406ed633597911e1b73ae5f712f03ee18f60b16324b

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Size

1.5MB
MD5

13dc441ec2f9e3f9aa1f354a4b14d318
SHA1

05b62c596ca78745d73514cd5d43434929955863
SHA256

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c
SHA512

30f4da77bf1ba35334fc1812a6792bb91396fdc8cc7b918f81c6395a48523079cccc89c7090b5c21c30ab62939fa8663cc695ad7d876f083773f7c85cffc5242
SSDEEP

24576:TwMryIYPOfPFxgvnRnc215nETdxUA6p7GDHDCf0uEywBk1EM8Xzd:Md5PsPfgvRv0gA6pYC52lD

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
5016	alg.exe
3712	DiagnosticsHub.StandardCollector.Service.exe
4748	fxssvc.exe
5084	elevation_service.exe
2204	elevation_service.exe
2764	maintenanceservice.exe
1620	msdtc.exe
3788	OSE.EXE
3064	PerceptionSimulationService.exe
1704	perfhost.exe
5020	locator.exe
1396	SensorDataService.exe
912	snmptrap.exe
840	spectrum.exe
4964	ssh-agent.exe
2860	TieringEngineService.exe
2396	AgentService.exe
4148	vds.exe
2112	vssvc.exe
4260	wbengine.exe
4496	WmiApSrv.exe
1920	SearchIndexer.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\alg.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\vds.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\335d62bfea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\locator.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 452 set thread context of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 4396 set thread context of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096ff53e1b97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000621467e1b97bd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007536cbe1b97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd92bae1b97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
Token: SeAuditPrivilege	4748	fxssvc.exe
Token: SeRestorePrivilege	2860	TieringEngineService.exe
Token: SeManageVolumePrivilege	2860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2396	AgentService.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeBackupPrivilege	4260	wbengine.exe
Token: SeRestorePrivilege	4260	wbengine.exe
Token: SeSecurityPrivilege	4260	wbengine.exe
Token: 33	1920	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1920	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 452 wrote to memory of 4396	452	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	90
PID 4396 wrote to memory of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96
PID 4396 wrote to memory of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96
PID 4396 wrote to memory of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96
PID 4396 wrote to memory of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96
PID 4396 wrote to memory of 1804	4396	6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe	96
PID 1920 wrote to memory of 3968	1920	SearchIndexer.exe	118
PID 1920 wrote to memory of 3968	1920	SearchIndexer.exe	118
PID 1920 wrote to memory of 2748	1920	SearchIndexer.exe	119
PID 1920 wrote to memory of 2748	1920	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
"C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe
  "C:\Users\Admin\AppData\Local\Temp\6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e75471655e880a22f8e5852289ffa398

SHA1
d2794107c54d3cf5fbfc448a7f207d80d2923424

SHA256
3de6f2e0dd2cc46c3051e17c1c4efd9054adb7373b0f27a4952e8ae226f1503d

SHA512
2f042988b1e791cdc4a9e7846fc7b32d42086b946d2995fc63ec6b1f83dfecbf66b3f20628a02e00835cb651bbd9b621fb349ca187e6b4dc37df0512ffab710d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c60cae38ce580bcc535a515974e8ab12

SHA1
7b3d03a0a1261b095a15001d05913e0e3565aef2

SHA256
b75b50b7ea9030589099d7e01b9b3be83b469947ecb250a42c38655dc69a8975

SHA512
f47713093af8d2e940007d9684b89c67b682def74f78d35d4ef15aa75c6670845ccb45fc3bdeb4fdbc07f6374a9e1f2a4cd9d8962ae63d59e6095e19e368592c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d6ac8747b3d503a2d1edfea0fcee8f7a

SHA1
5430bbb1b5e6faf8fe551ef38fa376d5c063a4cb

SHA256
0fad69295b138b3b46b3325b62bf5f13e985409e1c60a75e435936432c0d7b25

SHA512
1f33a0de97960bc3c190e22b33dc2aead52456acb54bf90e5dcf667890c8609b76e16310ca553d3bdb9047d785bbc4f256318a4bdc9b0bfc679e18e7f681f28c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7f2c1aaa6926091fd551e46a9f8ebf8f

SHA1
5315550f8ec57f412977e49ad728d238e5a0214f

SHA256
e9775bd6dc34fe0c7a4f5ab26152bb67270c8292a2b5a28f390a89417eb84602

SHA512
393f50f32c0f60b4743fbc1c2c608ddbe65929c6ea54fb8f3089f1b24e39d4c0d65a76fa5367a2a0a9a744055f3b51202067851333a9db8a67ff44342e344441

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
593675ff0331dc9eb81ff044e80d3f9e

SHA1
e8a890ae1d5784f9d0b177992fce56696f1f18db

SHA256
636bd90e16b67b8ff3d3f81b61d08c21894af579fbca9c5ae28f00bed88161c8

SHA512
2e7ef2c2a0af2cfaa311094be000f08e6dbec1bbd6dfbebbd43783ceb35acc4ddac99b29098ec5bb341952dd18cf844b180d64bcf0ffc118a89972ae9c3be4d9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f28636cdad47e584afd5674774136fe

SHA1
2f5c07791f480c9817764b49541d0e5fa1cc10f9

SHA256
44e7c5741fc88481dbc19bd3af04ad84b3a46aa861c3f55cbdfd679df76ed4ab

SHA512
bd230bfb98d8700ff16dd0bf9fc2cd30ce3b89d1f3535e7fecc6db1d4cc8de6a31595a3481eeb4f37be3c9c9dd16c04c57608725cdb04dbf479b4e66764db515

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
aea69fc263d70fa60e351232d91ce497

SHA1
8c04dc4dd0a48c717c9c2dbffd4ee5070093490f

SHA256
6f56a097b230c0615f1ceeb3e58321913251ba8513feafeea7c9586492b9f19e

SHA512
ec4eb5e5697b313b74dc8ff4ad41b1b761a4fae57f0b642fa449a384b6b9b4fcae86e6adb8658537b55382144918cb0b268146cc5bfdcdcfb53729f28971b563

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4f067006e4f7ace1558b4f6251acc49f

SHA1
e7a494dd3bdf1b86f78bcfd6ccf605f6c0e913f2

SHA256
751aaf2c6f2b01e1fbb176cae0ae5a8615cc9894e47d7368a4ccc1ae4cf403fd

SHA512
d96475cc64809e8bd2c0db71b18aa1915f05cd9d2ff522b7c954470cbf51980503ad02f0cffcf2a7c185fa4ccfe2adb458f47cbd441758acce959952e4a510b7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d267e2b42607a3d4a57bab8d041e76e5

SHA1
5c4274031f5c009ed1a32ce51f0d622a30e7f63b

SHA256
2afa97a15a6f94da6e6994a6890871f6b7e65870099ea77cd823e1208a74b5aa

SHA512
cc7fd6699ee3c5d725da8d33757278ee03bde27731157f340727e8cb38a8aa781f58bd116f51cfc7740831af002c213df7cd105bf799ff3bf63787756cf79d99

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
99a48311d0c9828e6634a2f2cd1b1665

SHA1
dc1f9742a2a212313c096d1072c28a7deeac814a

SHA256
ac1ba4c9d7126ce7e1219d1faf1490368fd4c6332f5c6d2d1c2caa160aa974d2

SHA512
72ff5a5b6b9b31e4add44735139bb13b8bfa153d61b11eb067128741e65d870db6c17c1ed3f03023d724c1bcbef203d02f5c2b25ebcc911d23d4fa24de38e13d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
99a48311d0c9828e6634a2f2cd1b1665

SHA1
dc1f9742a2a212313c096d1072c28a7deeac814a

SHA256
ac1ba4c9d7126ce7e1219d1faf1490368fd4c6332f5c6d2d1c2caa160aa974d2

SHA512
72ff5a5b6b9b31e4add44735139bb13b8bfa153d61b11eb067128741e65d870db6c17c1ed3f03023d724c1bcbef203d02f5c2b25ebcc911d23d4fa24de38e13d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2bc8c77a277b56b1ee227a3a1fbea880

SHA1
010da74ab842ec7950f6afd45195c4b8d3f4858a

SHA256
4cf86d73abc862f59d14f89adfb9e141b679d4d106fc561fdc4f105dd0d7ad9f

SHA512
36001a9e5aac286f28a0f56214e46f47c4bfe3feb8a64cbc3feb8033d60b78d5001bb6b6641c74af92538f41b01a216211f802f0d6e4ad5718f3269cd701d8d5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1395ee6b45e184bb6e0ad2356d315657

SHA1
b1e1614e7d3cfd47781eb74cf9f09a168bc12716

SHA256
d0bfd60bec96ceab1485b7841ae3c17ff5680b29ed3d42a06386a94bcb8699e6

SHA512
cb6267505e0315d2c42fa9a822c02eba4388dde3713962041da4929b9188f96b8bb3a57ebfc2390c69b4fc532bf4c510f6d2b8aa00ef8418ca5ccc872ad57ce1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a69e7cd454cd22868ee8698bcfa06b1

SHA1
0f48b0e3bc95f368b293ee332373867947ce49cf

SHA256
abbdd67ea152ebb90e606f7af7d83fa1589abd2049cbaaf55420e8f3bd10217c

SHA512
317bf1068bdc250ae72bfae04b8cf65791a9529e990475f2a290de7522cb26158b704fd2db3349231888fc1d8f78ebeb0d065ef10f0489c6995fce3d877aea04

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
27dfa08da49bab0e8d7ab272b6cb1d92

SHA1
c6041d2d7360548f08f18f8127a3e5af452b99ea

SHA256
54f502492c89bff1e93f27c3ed2c80b2e7b7c44d1e35930ac38c798d7e443512

SHA512
810e9692994ba84838b56bae7efdefb0692197ee6897ef317d413897ea6d4791337ab3085000dd402a7be34e61a57c904f4c23b31bd45944015efcd6d988f47f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0836175adce0301c537aae4d9625efb9

SHA1
0f7a3e6f49cc5ffd6ee1b5e2debe4ffd6bef4d55

SHA256
c578e83e513f7865a79dc3757b52d07cec00306193b86b98cfc767fa1cb8a765

SHA512
697d5b0528b22bb510ccdfc0454f38c8910c2e242c31c67db5ff076405976156c9ab6f0aac0b4f1fe554ef0cf97f835f7019d4d97123e4ae4d53d386ff8bb731

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d9d79136fdc65cd72d422bfa568c881

SHA1
915a1875684d1f7a2a3d679f912d59c3cb1626bf

SHA256
35f9c3f4241546bab0be876615224a09327e888ed7494fb3476c27ee815d2ef0

SHA512
6dfc7c5c5beb9cbf568b7ce2ddac32f759035df57282bad77c19e27a0ca6e6cd299b22afddd0922387bb6ac1d2cf929f2110bbb933ed69c055d141276ecb39a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2620916e1e2d107525dd2f159451aba8

SHA1
975cea121cbe996076b300d298fe06bf86c44976

SHA256
0536d71fe0b4989bd78b527cfcf76a6190ba891380dd68e2f44f4dc1d733f37b

SHA512
44c195b85f4694b991b47f06b5fdfc64ce25d19903e8a98f375aad72f4cb73770028862f835407d01e89f90b87ecafe711c2b765724a76bbf77275ee42ff72fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5d644d55a7bdc8710e0dbce4797e7e3e

SHA1
24a86caffe45f7c9e984b8ae0595e652aad39136

SHA256
2fbf36d9d6533b7b8defb915d96a9c026e995f42bc0f86ed13545cb73f2cd641

SHA512
cecee7f29a7426d25fe4ed49d6f55871619c3039d2ae69053ea93e0c41dda116f7169fdaa8959b87fcf995fd35e7b2e6c18610f6b36086db8ffd667fa3f00a2a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8fdf824c4a09a3033222e81c88eb6008

SHA1
9e747344bf5ce18f4a1fbf2e6d68611441e571de

SHA256
9152074a56a2450d3ee174e3ec0440cb2a7c60dc869a300d17ba7589914ca092

SHA512
85ebe9810fd144ddb7634a7e4095d2a84f212aee5b7a84816fe824a2f65c96841524f13268cf7e81d4aa203da0b0ced3c86747ac75db376b40fb7f382271d918

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
36f89d23d6362444a5a833ff7120dd6d

SHA1
3c45246f689c550f907ccd430512054d841297d3

SHA256
00109931372fa106f38c2cb647b988304601456ce91895f29cd4e52ee6d86851

SHA512
0cdb610081adef3e2ff4e473dbaba6732679bf6f21563e6e57cd894cdab0f42928591ad40dc06e2cff27482a910697921dad04e7c6435cd94c3884a14f501476

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7d2d8961c79b2af5698d0770e94e3657

SHA1
c2931b2f188998cd682f609c7bb8ccc4b5bbe5d7

SHA256
bb724c7ac5990a18874568c8c13e13b6e00625e51a4e1d0ede078687b166402e

SHA512
98ffd15d00f60fbe8e3dc45ea3e36c9524d0ec47f5415aae11925ded06b54bf9114ff00414c48d6db6c5e1662f8aeb092d1a6e802561498e1e370fea7ac421ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19b6bb15e4dff5ce41191469d87d6faa

SHA1
6c6b59223d23922ce4bebf53a17090a3792113b9

SHA256
48cd6d90a4b4a16f8d215cb525827520ab44d7e1d66f6506fa7166dda82b3dfb

SHA512
9c34ae6f91a8abc5f1efc74778160eed429497ef9e28bd92009d3e437b73836f3f5e4cf87756b8adf786ab599916fd7639fcf1d4c50841e6f93d061c34721019

Download Submit
memory/452-137-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/452-139-0x0000000006DD0000-0x0000000006E6C000-memory.dmp

Filesize
624KB

Download
memory/452-136-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/452-135-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/452-138-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/452-134-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/452-133-0x0000000000330000-0x00000000004B8000-memory.dmp

Filesize
1.5MB

Download
memory/840-318-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/840-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/912-316-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1396-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-355-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1620-357-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1620-238-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1620-234-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1704-283-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1804-213-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/1804-203-0x0000000001370000-0x00000000013D6000-memory.dmp

Filesize
408KB

Download
memory/1920-427-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1920-504-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2112-501-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2204-216-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2204-344-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2204-208-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2396-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2396-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2764-220-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2764-226-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2764-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2764-229-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2860-383-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2860-350-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3064-280-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3712-176-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3712-170-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/3712-184-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3788-278-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4148-483-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4148-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-502-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4260-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4396-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4396-149-0x0000000003530000-0x0000000003596000-memory.dmp

Filesize
408KB

Download
memory/4396-165-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4396-320-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4396-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4396-144-0x0000000003530000-0x0000000003596000-memory.dmp

Filesize
408KB

Download
memory/4496-503-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4496-426-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4748-196-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-186-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-188-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4748-180-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4748-193-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4964-348-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5016-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/5016-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5016-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/5020-285-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5020-373-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5084-347-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5084-192-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5084-201-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5084-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads