blustealer | e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998

Analysis

max time kernel
153s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmprwm0tnp5.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3628	alg.exe
4080	DiagnosticsHub.StandardCollector.Service.exe
2820	fxssvc.exe
3248	elevation_service.exe
3604	elevation_service.exe
4424	maintenanceservice.exe
4200	msdtc.exe
1708	OSE.EXE
2020	PerceptionSimulationService.exe
4288	perfhost.exe
4404	locator.exe
1900	SensorDataService.exe
4304	snmptrap.exe
2972	spectrum.exe
1500	ssh-agent.exe
3668	TieringEngineService.exe
2820	AgentService.exe
3376	vds.exe
4236	vssvc.exe
2960	wbengine.exe
3236	WmiApSrv.exe
536	SearchIndexer.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6d516a250d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\locator.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\vds.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Windows\System32\alg.exe	tmprwm0tnp5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3956 set thread context of 4900	3956	tmprwm0tnp5.exe	86
PID 4900 set thread context of 4072	4900	tmprwm0tnp5.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	tmprwm0tnp5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	tmprwm0tnp5.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	tmprwm0tnp5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	tmprwm0tnp5.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmprwm0tnp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3956	tmprwm0tnp5.exe
3956	tmprwm0tnp5.exe
3956	tmprwm0tnp5.exe
3956	tmprwm0tnp5.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	tmprwm0tnp5.exe
Token: SeTakeOwnershipPrivilege	4900	tmprwm0tnp5.exe
Token: SeAuditPrivilege	2820	fxssvc.exe
Token: SeRestorePrivilege	3668	TieringEngineService.exe
Token: SeManageVolumePrivilege	3668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2820	AgentService.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe
Token: SeBackupPrivilege	2960	wbengine.exe
Token: SeRestorePrivilege	2960	wbengine.exe
Token: SeSecurityPrivilege	2960	wbengine.exe
Token: 33	536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4900	tmprwm0tnp5.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3656	3956	tmprwm0tnp5.exe	84
PID 3956 wrote to memory of 3656	3956	tmprwm0tnp5.exe	84
PID 3956 wrote to memory of 3656	3956	tmprwm0tnp5.exe	84
PID 3956 wrote to memory of 3820	3956	tmprwm0tnp5.exe	85
PID 3956 wrote to memory of 3820	3956	tmprwm0tnp5.exe	85
PID 3956 wrote to memory of 3820	3956	tmprwm0tnp5.exe	85
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 3956 wrote to memory of 4900	3956	tmprwm0tnp5.exe	86
PID 4900 wrote to memory of 4072	4900	tmprwm0tnp5.exe	91
PID 4900 wrote to memory of 4072	4900	tmprwm0tnp5.exe	91
PID 4900 wrote to memory of 4072	4900	tmprwm0tnp5.exe	91
PID 4900 wrote to memory of 4072	4900	tmprwm0tnp5.exe	91
PID 4900 wrote to memory of 4072	4900	tmprwm0tnp5.exe	91
PID 536 wrote to memory of 4956	536	SearchIndexer.exe	120
PID 536 wrote to memory of 4956	536	SearchIndexer.exe	120
PID 536 wrote to memory of 4276	536	SearchIndexer.exe	121
PID 536 wrote to memory of 4276	536	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
  "C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
  2⤵
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
  "C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
  2⤵
  PID:3820
- C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
  "C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4200

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1900

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3840

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8967097571d288604cc8a27d3b3a1efd

SHA1
86e303cc6978a9f4f7938ddabba2544cbd1cc40d

SHA256
b41574115fdd682ad0e39ebcffbad412a4c3cf7332c4c8de0196997b2663d51e

SHA512
7a461573d4772d85366d0429ed146d38b752bae7adf177cbd8cea746ba415fafb49e2584221ea29bcd204250083ed12138e7047b3934ccb66d724612206b61f5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0839a308b061edb7d8b8d6895076c07f

SHA1
9f949fbc6a16be3b27d6444150dc55f5e6ebf003

SHA256
d44d0eb777721152dd10f0d1b10d33ad50c688fdc4f75e6d6fb5d87c0f14ab2d

SHA512
c9d14ba6ebc400bb2e38ba4be6472bd4efca88d5af42998be9c69f0e7d0045b1e4e463016e0ea0cc07dc6fab5d3db08cb2af555a0165869ef7174094d5e47833

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b657e33f0855b7ce102444ad932d1129

SHA1
95f4230a082d1e869480ebf8ea9b960cd0da0dae

SHA256
0997718d8d26b8bb6cf9af2a3fe2c9122985bb6b2e513bd684026b7d23ea9dd8

SHA512
7490f5ec4e924620ce9d761b17e80180f3b9cc6a95dda02a76ed517c20bd1805907f8dbba435ae089e434e5f88f52c2bd092dfea756f6d4d95de8ca0d49dd81b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
48c1d5d33ec3de51a69b0182a3ed7721

SHA1
579cf5653890c156dfc3dd33f43a1e2613183e6f

SHA256
17a7d462c60b06793ee2ba8114bfa9334e0fbc7ff9b65bcd0631deb6ad4bd84b

SHA512
c4d8d6a64618eb04e9c50b062309a3a429af74dbafc521c7e60e8d9c8445d3230c5f2f1537fe0d52482babc7140eba7c44bd04702218d643cbd2e8301f8bee03

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1ebadf65d907ec6b959df6197ea99b68

SHA1
47f586d9e140d6cb5e71257072b8ee3c03f836f0

SHA256
22da944d17538eda1c3267435390e863133d30c747b7e66170af12d9370b0a30

SHA512
039b6510532c9c51e1ef3060fa95d7b31e636b3a352683ae300a6a1a6a077b4d3256bcffc6b7e5b32177efca551cc0c414f1129f186dfade9f3fefa7b3fcac94

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
19cbb3cfa9452f1e5aff5ab57e0cfa5b

SHA1
f40877be5735382c82db6339b543ad5438d0f710

SHA256
313f7b1316406d4681adb4859683138adafa32f15931da18015f3afef4131ecf

SHA512
502ac502142f9948723b0ec43adf60599afc17991db641ca330723f4553d795fffff6af6655b50e1fbb19117067a65cbece92c95ee302e7ce84c9aeaaceb0490

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
08998cd0707912d9d0c1abdce0bbf553

SHA1
0722101f27955a6871e443cc3d2cae625662dc85

SHA256
80535ee741805fdf7158ef369e45d23df564fdf4dfdae74e098954ab05adf24b

SHA512
c4a98f1236ad7187a6290d7bd115959e8d0d9a863f7fc2d6acfc18b1dd1e226979dae6eedeb3b4eb9c0f5b83866db2678a9411622bbfa43785357fac2399dc11

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3b782cf039f32ec6632aa4036e84961b

SHA1
f2aac2b221cad33867cd918eef3732ccc65ce149

SHA256
e35225787e01c2c32178d2e5969ca5f565f86499a186f7f4f2f75c888ebd0f61

SHA512
194914ccdac398a717980e7d79ca711735b48a03097e01d68e0aa5588b03cb24dc0af93e8100d8aa55a4da8ad9926d9537119f297b0d4478936a02815bf72053

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
671606556a23007e08184cb2622eed93

SHA1
41aca8f4b58e3d84637ad342b475da4ae572c118

SHA256
8daf2d393e88c93fa22d604bb14d6a8dd1333a2bb40d91f043c1356c43727cd1

SHA512
ca09f114d959359a177f74ff20dac602de8aada729450911a0188c9332215bdd23ff7759dca50331e34ba1800b4898e2aa060ce32d9b8f8b1ea53ca31a37375c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
47b4e43bb5e27d7509e1a721223f7a28

SHA1
147f9a8b62d9f2f0094da2c34bd608284dded47a

SHA256
588abd29950b1b4823fea33f29bee3e8d9818ff83c7e3a1794b891e8fddc71a1

SHA512
8f131cce393a6e532b8ee46d59ccaa53236e9105f4f5217f6f6cdc8fac04ddab60427aa5b09e83ef204f97f0bfab7f487b4934a5de7738c17170a71d15ed124c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
47b4e43bb5e27d7509e1a721223f7a28

SHA1
147f9a8b62d9f2f0094da2c34bd608284dded47a

SHA256
588abd29950b1b4823fea33f29bee3e8d9818ff83c7e3a1794b891e8fddc71a1

SHA512
8f131cce393a6e532b8ee46d59ccaa53236e9105f4f5217f6f6cdc8fac04ddab60427aa5b09e83ef204f97f0bfab7f487b4934a5de7738c17170a71d15ed124c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c4812b4d033a0d5f8258b02c6d202ab8

SHA1
bcf10b582b4192e71329a1ce0e505f1a6303a732

SHA256
2b2654c924b303eea1931c771a08ac8c244d304611e4b676cab46d1c33c7d31a

SHA512
3eb620fbad647161ba40dc9eee4314dfb32606c8fa236901f7dc5f89c86d3dd8907820ecd5b3aff893528d19a6b3642ea355d68259e76f9c3b1a6ea6a024643b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
11977c08354332f40171281aadd50d7b

SHA1
95190c84e28ca4daffc0f3b83fdfded045c5d67d

SHA256
1c560e900fe02de08816749264657f77dcbc723a8f0ca36f746334d4e21aa59f

SHA512
54fc0f384b32db510d77fb4d8544788fb845a3b42023de20d24613a0d4e744cbd7596696d3629871b472c66261caf2b37566b2d1637efa705cd3b8f6ad7b38c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
47160ecb9be7aed19f7c20378081c5db

SHA1
1248308c1d367d3d2cc8aceefca70d37a5cb7add

SHA256
0e5dea696864defdf4b94671bfbb06c96b1af179fbfb5452b5ea39fc1bd7dbb4

SHA512
cb6223257939926e0b0b3d7b4a3bd9ea4a34e72cd94294842bb601d21d2a1c295add7b8a55f82bb7e96c593f1256da48a0fb258a2a568eacb857b21f96610199

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d55fdfc0c07f38a1d06f4035d9811f7

SHA1
33915bb95dae8e77dd46112a182dd45a56ebd48e

SHA256
35393218311012d8e2478142ed24a92f71cd8a08ed01d4753639b343fd27bf9c

SHA512
e45d5cd0fa5c8a9b76dd2aca7bf0512b47af1327bf08ffd617c936b85974882d6feb4436b2a4cf9490cdb3fce15736296656db07e353fe1e96e8f9a96f27d9de

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
becd83b35f45a8f41e0187e15c099bcf

SHA1
2d956c8b7813c1c7379ba609a5646c4a272916cc

SHA256
82b77d9edc3ed03c86beef2239f3cfb5a773028affa70b4efee422ff6936c9fa

SHA512
1e1b14b78ad56d109f4bd51dab84efa6a9efa47b1452077b4220b40d54b98dc5d72dde082dc912acab080772222e2663251170efb195714fccf298ce982eb54b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
07de899cd670a663f8d489c903448796

SHA1
9603a63b356121c0390ed512f52c96960ef22765

SHA256
c6ae33957a5b6a0a568434adcf8458f595bedb314fd73937910b0aa17219d5e2

SHA512
d7376843c1a71c7979b7661eb2daa136fe2bdad1e50bc99cd203c40c28baabbe697d379176b93c18dc4f0010424bfb9616644c47b768031e684aa06da5ce6637

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2116d400d3b7faf23c2d104584eab934

SHA1
2e14bb60e58477a168c047aa10a3130c3ba4556e

SHA256
7cc96c0bf747761544226b7443c90b08e87a6515fac28cca8972f914320fd388

SHA512
0a7ee3fa0f6a16dbe77ce8eee6f2be029d904d25a2673f299673e27cde61b26bf20d8afe83c03f30ecb4d6ad1b80ce99ed11f63edb3e48745f8297a31ce0f1a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
74eeac9050aa063b9ed419810095cfde

SHA1
44e324ce19aac911676cab517869ac4db67533ab

SHA256
ded170cb901faa19e95a2b67c51824a7b6c808ba5fc695103ec0688b40867287

SHA512
5f39e17ad7eb55ef3763207ff05d1e186e28d4edd1092f40d77a4a9efb48ef39cd138e99ddf018a71ca4fa4ba62bdec9fb90ddf61ece87e0c7fb15e066a3b5eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a4496bb54b1ce8cb956222779608c8d4

SHA1
cb03545502d3d9c8d53da0660d6f9ae6ab6f57fe

SHA256
9475dee739d6ee39b7965133338e71ea4b7fa379522e8c0d1a64f21b32070499

SHA512
38bc1033c9de507b7620b1ca8007b2fbd1de3ed3f383e09b90daeb5711be4f894514250e85732ec949d822a35591ced2e113d608abb70326a24c8b5b6840e36d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
276fb13f2e695f7dbfbb31fdea3addd2

SHA1
d0ef9c220d167b2744e46abadb8fc7fe8ecf29e8

SHA256
925d095b43278380e7d12a2f4e7e3a42886ab3b6a7b3635ccae48d6c1b3fc69e

SHA512
0ad68ff5e9466f5b6cdc11c897fde5cb325cf58f7893ad1f604aa3d0a5d5ef8bf61dd37a63652fc355ad6431b96a7fedc6222d59155f2476f2959525a0ceb28f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e1e79ef1ded7cbaffd4dd1e3792ed479

SHA1
6a8737e9c346f22b72abbd3f05c737f2610d2d19

SHA256
56b0982bd25c3004e5deb21cec28d1ccc3890364c31c8f790a09293f57ad1183

SHA512
9f0249aeab3c3315dd8ef103f441b3219e9da0742773845d23e73e91ad836550dfd088f9843661a03e959f61643df27b724c2c52c5f54aa90d6223c3b373c1ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5f97eb29c5f3ff13ef2e2843cbb6d508

SHA1
2718d89897d609deacc06dcae6b630f89db71303

SHA256
2ffadef006b731f968c117ce5474a6ed4f96bdb75d99ec3fb312ab1da0796448

SHA512
5860e0baa88cbdec191177138f0b08b689a2749adddcbeeb3359530b26b3d206f4fc23cebbaab7ce8be135245a437829d500893bd7b142351e745d6f3f91df18

Download Submit
memory/536-427-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/536-482-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1500-364-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1708-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1900-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1900-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-279-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2820-188-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2820-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2820-181-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2820-191-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2820-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2960-424-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2972-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2972-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3236-425-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3236-481-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3248-247-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3248-204-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3248-194-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3248-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3376-479-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3376-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3604-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3604-208-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3604-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3604-223-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3628-161-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3628-164-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3628-244-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3628-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/3668-366-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3956-137-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/3956-135-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/3956-136-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/3956-139-0x0000000006EB0000-0x0000000006F4C000-memory.dmp

Filesize
624KB

Download
memory/3956-138-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/3956-133-0x0000000000650000-0x00000000007E6000-memory.dmp

Filesize
1.6MB

Download
memory/3956-134-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4072-184-0x0000000000980000-0x00000000009E6000-memory.dmp

Filesize
408KB

Download
memory/4072-197-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4080-246-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4080-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4080-176-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4080-170-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4200-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4200-235-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4200-261-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4236-480-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4236-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4288-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4288-341-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4304-327-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4404-316-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4424-230-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4424-233-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4424-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4424-225-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4424-218-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-159-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4900-243-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4900-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4900-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4900-149-0x0000000002A20000-0x0000000002A86000-memory.dmp

Filesize
408KB

Download
memory/4900-144-0x0000000002A20000-0x0000000002A86000-memory.dmp

Filesize
408KB

Download