blustealer | bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpj_mcuumo.exe
Size

1.5MB
MD5

39810b7912907fc879004874df0e9e9e
SHA1

f2e51d5e9f644058a8ff4d64458e2914ddf2a364
SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
SHA512

abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
SSDEEP

24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4236	alg.exe
3312	DiagnosticsHub.StandardCollector.Service.exe
3516	fxssvc.exe
1652	elevation_service.exe
3780	elevation_service.exe
2552	maintenanceservice.exe
4980	msdtc.exe
4896	OSE.EXE
4688	PerceptionSimulationService.exe
1832	perfhost.exe
3368	locator.exe
4976	SensorDataService.exe
2708	snmptrap.exe
1152	spectrum.exe
1112	ssh-agent.exe
4184	TieringEngineService.exe
1708	AgentService.exe
2464	vds.exe
4360	vssvc.exe
2812	wbengine.exe
952	WmiApSrv.exe
1332	SearchIndexer.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\291d1e85ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\alg.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpj_mcuumo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 4808	4392	tmpj_mcuumo.exe	90
PID 4808 set thread context of 4956	4808	tmpj_mcuumo.exe	96

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	tmpj_mcuumo.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	tmpj_mcuumo.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	tmpj_mcuumo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4392	tmpj_mcuumo.exe
4392	tmpj_mcuumo.exe
4392	tmpj_mcuumo.exe
4392	tmpj_mcuumo.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	tmpj_mcuumo.exe
Token: SeTakeOwnershipPrivilege	4808	tmpj_mcuumo.exe
Token: SeAuditPrivilege	3516	fxssvc.exe
Token: SeRestorePrivilege	4184	TieringEngineService.exe
Token: SeManageVolumePrivilege	4184	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1708	AgentService.exe
Token: SeBackupPrivilege	4360	vssvc.exe
Token: SeRestorePrivilege	4360	vssvc.exe
Token: SeAuditPrivilege	4360	vssvc.exe
Token: SeBackupPrivilege	2812	wbengine.exe
Token: SeRestorePrivilege	2812	wbengine.exe
Token: SeSecurityPrivilege	2812	wbengine.exe
Token: 33	1332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1332	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	tmpj_mcuumo.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 212	4392	tmpj_mcuumo.exe	88
PID 4392 wrote to memory of 212	4392	tmpj_mcuumo.exe	88
PID 4392 wrote to memory of 212	4392	tmpj_mcuumo.exe	88
PID 4392 wrote to memory of 220	4392	tmpj_mcuumo.exe	89
PID 4392 wrote to memory of 220	4392	tmpj_mcuumo.exe	89
PID 4392 wrote to memory of 220	4392	tmpj_mcuumo.exe	89
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4392 wrote to memory of 4808	4392	tmpj_mcuumo.exe	90
PID 4808 wrote to memory of 4956	4808	tmpj_mcuumo.exe	96
PID 4808 wrote to memory of 4956	4808	tmpj_mcuumo.exe	96
PID 4808 wrote to memory of 4956	4808	tmpj_mcuumo.exe	96
PID 4808 wrote to memory of 4956	4808	tmpj_mcuumo.exe	96
PID 4808 wrote to memory of 4956	4808	tmpj_mcuumo.exe	96
PID 1332 wrote to memory of 456	1332	SearchIndexer.exe	121
PID 1332 wrote to memory of 456	1332	SearchIndexer.exe	121
PID 1332 wrote to memory of 2976	1332	SearchIndexer.exe	122
PID 1332 wrote to memory of 2976	1332	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4976

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1152

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f4caae509912422d4cb91879db09cd05

SHA1
fd31a047707d0a6345c4d3a1751e195ea9b1ce05

SHA256
4ff5eabf88f74281e2379bca67f5dd602dc1472440e81b875ac3ff23929a4f7f

SHA512
4fcd1b6c807f6493aff98392be17557431504113eb07624d55a59c5fb10ff8911c71d8b1bba99165f5e1917af4605cb03f94dbae2b0f3dbc0f6b1366a05e626a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b3e03b8a5af37518f2c66e603803ec31

SHA1
ab524bd8d1a6913774bafd68b15e2ac5f83b5dec

SHA256
ea719bdefcb8ca7324eb97609dc2518d91cd804c4adda8073592405fa02654f2

SHA512
c2e19aee184438172737f9077d8a5a34578388e5d3e59815cdbd6ae196e53538048161e33e1473bb38d1062dc9cf052968b874e57f3ffad8b3a3b23417921869

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
facb91f0f70e4abe0eba10141f3a660c

SHA1
cdc3d71995130e04568637efc43a468afebc3039

SHA256
fba0dd03085352473f9c2a8e1477b33b7ec3c0876705f65b868874999cfedcc3

SHA512
6045dbc71eab785cc686b8ca58bc330cdc1e495ecd9d28a8362354686ab02f990da758dc7f37f9308a04cb7a370f6001f593c23578a9f1d07d66b7db4a0fb819

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7189a154227085726317b0f57e137b8b

SHA1
3aa52aba342a5308069da774354b137bbab73bff

SHA256
b8232f6072bedb34c584ff4eb52c9fed47676a618487a588c1a9238f67b72834

SHA512
01020bc69b9dc9c7a632c9c94f96c8575e1f535532fea799346cb312f43f445c4edfeffa6818c9ffdfd3fd47cef2fc9c180d74a29f6f4adcac3d9456fd3c3d6b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c9e8a9c5fc0e4e6362aa7105c0d65984

SHA1
e3d449235bcfc1d21b1d83a9b84300717eff7553

SHA256
1d797698b8ce5b4209f8578fe83fa90428f9dd5d7fc64bb11c05710d5cbc7696

SHA512
bdfb10540a8497e5abf3d11e42ebd8b47a0c97734d0489fde596624e1c4a2283ea7b2771f7f4094a14cf5f7dc96b5f25718f88c93a2c81328f8e40c2a6ec2718

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
82dd9c82b007f9d70d4d64863e08d11f

SHA1
a46e1dc2ec392d92fbe6a7e6692e2e27ca2afe52

SHA256
6dbd039dd1f5e87449a1b131c662d91cce26ddfb803dc004cadbcfe48117307f

SHA512
a9a62d21920b52369d74e75eb7580d3cdf78280476c245348dfc0b24434ea6a9f78eeafcf64ed96fa731ea1e31b727fc3addca9c83b4f7c0583f848e651e7879

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dba50e62eede89edf1a907d81e392121

SHA1
1a080128957104b3d7e4cda7327e895b0adad6cb

SHA256
f5cd22617d67bc37860f17a59d7b5c3729a54b8a2b9e9ad3526fab634759b598

SHA512
00635cf8c6eca3a213c3e6064356944517276048d0515cd5fd86bcae036d2153a5afa97a678e9b6379b311ebdaf71c7ef5aa8dfa1986d1088470280ad5452efb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
27212f8585d68d010553a55f71400877

SHA1
7cb3b7727cde4c96cb05a69fd0cd9a4b433af93b

SHA256
d5de7053dd6cc01da3459c307a1be132565c5747d046857c76719fca37e5a348

SHA512
d492c7f88bb5d113b7f4450fccd53a8ab767ca4482a61f3b5968ebcc91bce0d733d6e18bc5e1b0c33ef1857dea6243f8fa2ac1308992e4735ff8cab9d31bfa3d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1d7cf56d11ee01f08b21cf0f84cc4804

SHA1
dc2274f9ce1f4f6df343c0f9034fd602fc5b8dc8

SHA256
ce7dce6e9270b0a87d2bc169bb1a4544970bd7a4d9eccff438aa2146d991464a

SHA512
dd31ad0bb3e6cab8d8e7a2aa19162ce4f90eb4f38e43a1c31ddfdd4c600becebef9f292100fdc38fcef641467f1e009feeb3ee762c94f15d81361b609c10390c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
1254c25da7921c58cfc0f34ba3cc3fc9

SHA1
72cd9b476b44c57287d2c3dec58f3fdc18e04c6f

SHA256
6fbef5c6b5b38049991c589f66b06a3eec13a5eae88557e368ee4c548d5b86dc

SHA512
cd2b0c84b697eb84c9e32d15b90a5463b9f010d21476fbefd3b2d5e1253d1be0b36ac286da07656a877525079e801e996535b9f393a44fbf6bf46705a9045a75

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
1254c25da7921c58cfc0f34ba3cc3fc9

SHA1
72cd9b476b44c57287d2c3dec58f3fdc18e04c6f

SHA256
6fbef5c6b5b38049991c589f66b06a3eec13a5eae88557e368ee4c548d5b86dc

SHA512
cd2b0c84b697eb84c9e32d15b90a5463b9f010d21476fbefd3b2d5e1253d1be0b36ac286da07656a877525079e801e996535b9f393a44fbf6bf46705a9045a75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9b0dccdfedc24f5b09aa39b38211af07

SHA1
e45bd03973c253607604e5d6f83797aa4d030f11

SHA256
54f319fd51c33736263bd307d353899ae0f2d1fb76c14721133089aea0201c6f

SHA512
b4605353b3160e7da97f125a08281c4c47a87ed57b81d5e0bddf6568d90950ed577c54f91977c0326a0ca925c1e17db37c24fd82b89dfc05347fe7e0010def7e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
919a0002200a7df28321b6545baf092d

SHA1
1d4d13c624bd53ec1a937c6389663930dbd9734e

SHA256
2adfc2251838f93308c5a18ebb89dd8dbd790b7cc5917e82b06d043e2a526db6

SHA512
0e0e4f5ed61993c1deda171e4c033c6946e17d540942e18b72a93ff40d9fb9e2264e03cf186ed77c0d6725e010eea5390c8ead8fb884facead98dc7f63f4992e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8d9b7829ec450dc2fbf565d58db32a64

SHA1
92c9bcace466db3bd01520b5d521eddcf776dbc7

SHA256
f6305d473d354223f23339e692a7e32530bd74a75e0e793b850da2554cfa8bc4

SHA512
2ae346e4f85ab0453cc028c0076552b8698a087ecf32ece3de8ac0d58f557e43a54d03047e49d124fdab62d697f3a2655c694d7e10fd3117a09ef0d44d6d572b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4fbab786bfa177b68ec484f45d010004

SHA1
1eac979bd3127323fffe639aebca623a24262c2f

SHA256
1782f3e2c704bb937a1f34f0788397c22237ae636c8721fa29a1f9bbd9494e70

SHA512
72d3666fc1b0d1cf1b833b1b63119e28508e82499ba152a88e9eb1c2d34953c45f0cc97c8f89b9a886d24464922be7fce25355ed79cbb664c85b98bc2773d988

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4fa98772e03d10b14141a7bd90662eac

SHA1
30bd6f98ced9b992f9a156e4ff29b225e585d69f

SHA256
414c84dc2b1a6166da622d95ac4c29127f35ebfc08dcb02ef0b49feff6ffdbe4

SHA512
cd1c6114064e472de859b7f3d5157ea5c521574b24b9a2f184a223615a76b62975f1b924bac5c830004d9f8d516a4a69c79719c37736f592d0fef49038dbca34

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f99417eec81084afbc1dd9d6bc08b07

SHA1
e36782a171e27b6f94b3285871efc8316fc2e738

SHA256
b4a514df030f832cdb046dd726c0a9f85eb69a011ad48515ed984607422a2f8b

SHA512
150c8131198db3c7db1f6f9bafee304379823105964b4ef80eaacbd44bcc7dfb249b162e3599d5ad7d5200040ba11d582635094f88884ac0ef858ace05c00a6a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7bb66f99cd5a188c613719931045de56

SHA1
5b99253cce11947ba759b810338210c259267183

SHA256
192b4c591d6a701a3a177cdbcdd77b14cc8a116265e3f0ea558a68e5e01d87de

SHA512
2c1131c2e274cc643cdc80c0c52c6cb7652f33a812f6d3f3cc64e551a96b7a60b0b6e29ded1d2220912e4ef36a1558951fdea7ccc402eda2edb5eb65267e7f10

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1c2bb8e8e66233498fce0a9811928146

SHA1
6e12a156c27cf885a39010b70e4a9dbfff0c306b

SHA256
be85d3ac78c68d5ad9216974940380588d6de07789aa34829efee5ec0f2ee204

SHA512
79b6b7e935bab674d053c97872d273627a3ec28fcf0375f5299ce5515ba5d4c211073d1fc994db8a7174e106d3bd424825e9a8f9776837be82b5e5bf9f4fb531

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b6b2c3ee8989904f27665d94e9b147d1

SHA1
e86ae1ef2568cfa56f30eaa37fd6cdd84f5726b2

SHA256
a151fdb79a307fd55407b02826a8cd17dcd3b648c4adb8e02aa410b092441b08

SHA512
5b80006e043631014f0556e65802ff1ff4baf12bd93616a73f61d0839b60d1a89ef650a0f3319c4dd9a57eff004c219720250d51b5da1ff4878ebb1926fe9c41

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9cfba1639782e6403f41d2dd17c3cb10

SHA1
5416ee7a45ac75a25b12aa2dff6ae651bfb832ce

SHA256
d319bf0d38f64b7475852112dde0bf69f0679fc39deec6bbc520ed20836bd9c7

SHA512
2f1372e498b72d1b128be941bde9b8740d998805c5c2454af205f085d44e5953545ad14f14693079fab396254e5cb3b4c6cfdadace53f424d2822fdfa2b724a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
51ee17fbb878d4e67c2101e62991111d

SHA1
2d90ed291c0028a4ea3a95f4281e8ef75f80a131

SHA256
5c15065d686cc4c9a9cb723330cb687925aa6ac67fef0939aba27353947d6de4

SHA512
53f24cf58a3f6f5278f6f2fbe16476be32cd0d4b33a176a3cc8fd139b3577884c1648f86d624c575208ab9cfd524cab1fc7f1fbacd2fb063d0566f632ed7a1ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dac4013286ed8f8c18fd27e192517c6a

SHA1
216801b3c38b50dc0521b2ffb533ac8cf70480d3

SHA256
872e6ab646ac6bd3f17c35f4242ab5c976f04de0a6a9e60f352c2d36876a2f3c

SHA512
c2b59bf079c0a44fc0f2d1e5f2b22a97e99f7a930e0cf00a54464e2629cd01ccc995b387a990d948a5bca9599b9a9069414b9009e4c4523f89e7b6bde864cd19

Download Submit
memory/952-413-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1112-344-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1152-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1152-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1332-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1332-482-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1652-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-347-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1652-202-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1652-195-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1708-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1832-353-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1832-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2464-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2464-369-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2552-227-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2552-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2552-352-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2552-223-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2552-217-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/2708-321-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2812-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3312-169-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3312-175-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3312-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3368-299-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3516-180-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-181-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3516-188-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3516-191-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3780-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3780-351-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3780-228-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3780-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4184-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4236-156-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4236-162-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4236-167-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4360-479-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4360-380-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4392-136-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4392-137-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/4392-138-0x0000000007240000-0x00000000072DC000-memory.dmp

Filesize
624KB

Download
memory/4392-133-0x0000000000500000-0x000000000067C000-memory.dmp

Filesize
1.5MB

Download
memory/4392-135-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4392-134-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/4688-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4808-139-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4808-144-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/4808-149-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/4808-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4808-142-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4808-242-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4896-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4956-183-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/4976-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-232-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4980-245-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download