Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2023, 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 202319876.exe
Resource
win7-20230220-en
General
-
Target
Purchase Order 202319876.exe
-
Size
1.5MB
-
MD5
b3b47f7fd1fad3e0d79c8d20a5bd57b0
-
SHA1
dcb8e21d45e9b6a1b9408b67866f79c191e0122c
-
SHA256
df2a21acbf5abb55445a48a442b6245205ec80e36bb861aadd47ee18e4d132f2
-
SHA512
3e711ff9895ee2f627c79ef089ff9955c5b73ba3fc05787e66fb635159e7737d95c67b79606a5d8cea7e0f37962989f8332221aec79d08a64564ce4d3a0b9226
-
SSDEEP
24576:eTJyekkXDVzThJ68yj42MiIsMcGOKJvADSiBHYcOvCedKERBx4HoHvguqT+z:YjXRf76hsZiZGFJ4DSImvC3ERBZv5pz
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2512 alg.exe 2156 DiagnosticsHub.StandardCollector.Service.exe 672 fxssvc.exe 4392 elevation_service.exe 1336 elevation_service.exe 3488 maintenanceservice.exe 3448 msdtc.exe 4264 OSE.EXE 5020 PerceptionSimulationService.exe 2032 perfhost.exe 3792 locator.exe 1980 SensorDataService.exe 1772 snmptrap.exe 3652 spectrum.exe 3756 ssh-agent.exe 3192 TieringEngineService.exe 5024 AgentService.exe 3484 vds.exe 3592 vssvc.exe 632 wbengine.exe 1100 WmiApSrv.exe 4336 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\msiexec.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\SensorDataService.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\snmptrap.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\alg.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\msdtc.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\locator.exe Purchase Order 202319876.exe File opened for modification C:\Windows\System32\vds.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\68e665fc9a2815e1.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\vssvc.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\wbengine.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\dllhost.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\spectrum.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Purchase Order 202319876.exe File opened for modification C:\Windows\system32\AgentService.exe Purchase Order 202319876.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3304 set thread context of 2768 3304 Purchase Order 202319876.exe 94 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Purchase Order 202319876.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Purchase Order 202319876.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe Purchase Order 202319876.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe Purchase Order 202319876.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Purchase Order 202319876.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Purchase Order 202319876.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fd8d833907ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a2c4c33907ed901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000232b8a33907ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008496b332907ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c58f632907ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045a09f33907ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4153c35907ed901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9aba732907ed901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 3304 Purchase Order 202319876.exe 3304 Purchase Order 202319876.exe 3304 Purchase Order 202319876.exe 3304 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe 2768 Purchase Order 202319876.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3304 Purchase Order 202319876.exe Token: SeTakeOwnershipPrivilege 2768 Purchase Order 202319876.exe Token: SeAuditPrivilege 672 fxssvc.exe Token: SeRestorePrivilege 3192 TieringEngineService.exe Token: SeManageVolumePrivilege 3192 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5024 AgentService.exe Token: SeBackupPrivilege 3592 vssvc.exe Token: SeRestorePrivilege 3592 vssvc.exe Token: SeAuditPrivilege 3592 vssvc.exe Token: SeBackupPrivilege 632 wbengine.exe Token: SeRestorePrivilege 632 wbengine.exe Token: SeSecurityPrivilege 632 wbengine.exe Token: 33 4336 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4336 SearchIndexer.exe Token: SeDebugPrivilege 2768 Purchase Order 202319876.exe Token: SeDebugPrivilege 2768 Purchase Order 202319876.exe Token: SeDebugPrivilege 2768 Purchase Order 202319876.exe Token: SeDebugPrivilege 2768 Purchase Order 202319876.exe Token: SeDebugPrivilege 2768 Purchase Order 202319876.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 Purchase Order 202319876.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3304 wrote to memory of 2420 3304 Purchase Order 202319876.exe 92 PID 3304 wrote to memory of 2420 3304 Purchase Order 202319876.exe 92 PID 3304 wrote to memory of 2420 3304 Purchase Order 202319876.exe 92 PID 3304 wrote to memory of 728 3304 Purchase Order 202319876.exe 93 PID 3304 wrote to memory of 728 3304 Purchase Order 202319876.exe 93 PID 3304 wrote to memory of 728 3304 Purchase Order 202319876.exe 93 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 3304 wrote to memory of 2768 3304 Purchase Order 202319876.exe 94 PID 4336 wrote to memory of 4448 4336 SearchIndexer.exe 121 PID 4336 wrote to memory of 4448 4336 SearchIndexer.exe 121 PID 4336 wrote to memory of 2720 4336 SearchIndexer.exe 122 PID 4336 wrote to memory of 2720 4336 SearchIndexer.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"2⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"2⤵PID:728
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4736
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:672
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4392
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1336
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3488
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3448
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4264
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2032
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3792
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1980
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3652
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4128
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3484
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1100
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4448
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 8962⤵
- Modifies data under HKEY_USERS
PID:2720
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59a614f1a2fc5ef7839f5becdbc6a3c1a
SHA1029c4e42118e56b729894416b06acaeafed43115
SHA256c4054a8a89968ec98da72ca8656ee675e0f840e92b777f66d199fbc4d2cc54aa
SHA51251b7646910aba0095b84fee8554b19eb2892a539a86ac92adec46f2aab4f7c51298f84e21a728860741adff213508a757cee432f267c46fda09a29fe189fffc7
-
Filesize
1.4MB
MD5a85b5c97d5850fc5ec1657349876b548
SHA182d0b6c8b569300b026969ac785ba1171d69ff9a
SHA25608ad2cd28bd8659550ec9aa484278aa5e9dd73d1cddeb1cfabc94ea995618ac1
SHA512b2dd98c0775cace8aea5d9bbaa8cfd37973bd67bbc7721b5a260be4356b8a8d342342f228bdf53c3a2d3764c1bc8bd1a32ce88e9e08365a157cf16361238c340
-
Filesize
1.5MB
MD5ec99b81d7d3197e4d7f8fa20f1b8c613
SHA10f36ae90e8ab65f4169c693f51fabafa16e1d736
SHA256482db57bb12d4815f81a1caff91447b825be6827eced034d88ed1ae9a9584cc4
SHA5128ec2765b212ea7d50d62f2c5df320317b44f3b7c4722245498584922aac138c71e05497c5bb27e58ad1aff01ad203fd12cb88112cdf19ac7aef39d8fe2267073
-
Filesize
2.1MB
MD5c8073bc7ad810c28bb802e39ab73915b
SHA1bcd3345ff3c9033a3f9c7f9d732806af4d030ae4
SHA256d3a30517c85d2c61a15273688fd15bf47f8bccd21127937bc994c68678bc7251
SHA5125d680ab59525959180d30ca5e7ab718d88d07579eb5ca7f9682a42a29264ed4a0093ba4daa7fb03134448025e4a4c3d7020f4db401629bca4031a05ab545e61f
-
Filesize
1.2MB
MD57d047f86a0d9ea2f34ac9451bee9010b
SHA1b37084d9f342e70b2ba28a78bd2b3f6dba6fbb19
SHA2561719c4babafde3747130a23aa9523e19b0ab74bff307af8e5a4a52feaef6ce1e
SHA5123f735be0db8615e4479faf27d0662a4a0054c9d0a209e9f731652320fc7778d4bc1ea7118b3bbf0560ee6cb43601e135a5ada6d0f0784312bbb856fcdb6d8175
-
Filesize
1.7MB
MD53b1d8b61b4d5bf4b9568c9c921b4c75d
SHA1076e619f038c0815342338739b759a64eb4a3cd2
SHA2569fe14d62aba56c4428f95bd83575d3b4c74d47ed501d0c3611a794fd868fa852
SHA512f7871b46d107867f7042b44e879068759d97001c049799bc929da978b268f42c1c072d2724265cf70dee663a747a1a4365ce110be9f40334d1c771d689a4195e
-
Filesize
1.3MB
MD56863035026b6522cef81b2349798a0ce
SHA13c8d97dfd6e47513213907b6c9b354b13f3de166
SHA25689d24eb9282e9d2ffb59a40c2204febca1efa4bb38ddd2b5880d088d8ea222f1
SHA512904a5333ad795c6ea0d2f677c236b9073fe0d0f839909381bfd05d5f2a18a8667806cedd7f98c5144d12c8d4da01862eed722668736da5d72bbb053c52ad5c9e
-
Filesize
1.2MB
MD509d4036257c40bde3d30cc37461efdba
SHA128d14e050d1bd8bfe818fad2eadb3d61e873e139
SHA256539fad92159cfb983e8cc56aa83b04bb7854d31fbdeb1fe85f66948a34029f25
SHA51267906ec36ec57275cbf295bd6a8bc06a5e08e38b3011de06231adff902098ef5292dc71a75cec919b27383ea19189e9172ebed00c4bcc9f0e411bc3dc0b5fb4a
-
Filesize
1.2MB
MD5e69bed59ca73faf98194a26ff951ed8f
SHA1dbdc6de7abcefacc83c309927e87592e0ca26ea1
SHA2562f7879f3ff71b5d349625c6b3013c1741a1250ab78d8cd553fea1f512464d119
SHA512f8b1b771b53373460307c708f2b52d3309cb476b82dc830fac89a7fc22cd43f1a6dd6ca5d22413151dbea1a19c095beaf76ba8a9b21ba8ef924379b4cbd4f540
-
Filesize
1.6MB
MD5f8bbe6757c54ee3d29e4131d37c2edf4
SHA158ae9a360a3abbdbeaec47672ee2e2d8de7de866
SHA256c55efa83980bd90f2c9b0f1721392a690b286c03ae26cd3a78c6680e31ce7812
SHA512513851f28c67457642603dff61397c4aeee98d5f9ca1977868e068d1d9af67294b3b6e1173bd98b52765a32e0d6e67db0d1aeb83c77b864ba822a2db9dc38e09
-
Filesize
1.6MB
MD5f8bbe6757c54ee3d29e4131d37c2edf4
SHA158ae9a360a3abbdbeaec47672ee2e2d8de7de866
SHA256c55efa83980bd90f2c9b0f1721392a690b286c03ae26cd3a78c6680e31ce7812
SHA512513851f28c67457642603dff61397c4aeee98d5f9ca1977868e068d1d9af67294b3b6e1173bd98b52765a32e0d6e67db0d1aeb83c77b864ba822a2db9dc38e09
-
Filesize
1.3MB
MD5adf3ce14cb89bc6cbc96532d21cf2ad4
SHA166d4bf7cad62287ec17a38557a23daf362b8511b
SHA25654660ab1ddd1555c79b5858001a410985c7b7915e0df596c30b8bd310c45bc93
SHA51225d2e462f08927a5e01646e6e45fd091d29e8f3d8dd10fb3f6caabf94a61e72979dfcf95495555b869ad99593587b7beaf3b44bf0b8a73818dfdb2944aab0967
-
Filesize
1.4MB
MD58cf95c2d01377dcb931efa9218faf180
SHA1592b808748a1f374bdc9bf29bf014e52c4870154
SHA2567ad78b30003fa1466af8c3edc32cc161d87b6719199360ec3417e7cf8ee8d658
SHA5129574bc6ae2e41eba20321533f05849535edbdd142321b03e5135c61a58da7f811608fdda32e340dd8bb7b814dae97d0bfa316f6722fd401cfa3bc3d9e66f1288
-
Filesize
1.8MB
MD5725183e126588c1de3efe6cedfb27689
SHA1f9e98b964ce2e08455a6c68c9f76a95d091b08d8
SHA256f4b5fbd0a010aced5cdb8fe00c658327738affc8ae19a3eaf2a0b74db81ff2f6
SHA51247ea6844f7dc21173f9f9d3055d7b8aec65d1be8f1b252d39466feccc2116824ee73781b27e5c62fbad131bd6222ba487eee58de4fb2c5e2b40378f90c969ec8
-
Filesize
1.4MB
MD576691b56eb59173df91eadac312f2a28
SHA1b34c23a8e3faa7115ec23c0f904d62c0f018d75d
SHA25611ec235c905a1c1cd078f61f40c87866f87f07ce258f9b9fd52e92fb49e43002
SHA512d3b371b24bac31755b281d0d53f0948f3f785ea3fe84482bfc3607f7b4830a6a580916fbed86f01f6fa68b9f0da06757e7672193a611c2446a392e53f5e78b31
-
Filesize
1.5MB
MD59e3b210389c184f139c3dca846fb22f4
SHA11c67499f8d1020a56454a585ecbfbd250afcd07a
SHA25677d8a165d9fbb66c22bfc485b579b7a21989e5afa964d8079ef68d2d2aadf085
SHA5124e784801fdd38c0ec3f6b88c0db7f4e1802dac355db86664251efd2e9a3ce6af612330cd1d667489ef21f7e0fdedbcad7cec8e82baf215b257e9bcd2d13d741a
-
Filesize
2.0MB
MD5cea109f394459de729501b368853167c
SHA1b865de4f867ec3fc4fddab405c671f0ff977942c
SHA256fdf23eca6ebb4ffe0f6389df0f7b0cbfd05a8dd5b88ce41a3c3201a1f1d0fe6e
SHA5122ca0e4aa75b17ced54e99d91097605429c9fd6d60fda0db623dcc6233386468da4325736a06e29f1d7a4241b425a5192f4708bf64f9cd4f858a08c17fae5e892
-
Filesize
1.3MB
MD52560f3082cacd83143b2333a01c89d6e
SHA13ddda3a1972048044c7f87934c2f9351c9b2a9c1
SHA2566a2067a3ee7d7d8653faf224f3c834340b910c57d8c1246ed2f46279168ebff5
SHA5123c9aa4769f967e45b2cbe46583467c3b05761ac0d8084ade7f6c8538e5d74f85bad1b7e3c459772727d91c37a30392093d6844c4d9247a369f763fe184f6c238
-
Filesize
1.4MB
MD5261183529dda4f83247af8c9a89aafea
SHA1bcd7afdaf4b96049a9c095d7bd349faedf378ba5
SHA256e99dc6f3f48981899d4b13a8a8973507a184aa4860c843cb24e8e1b22e3eb63a
SHA512fe7fb714e10b6089b912304a250be870459cc5d7d0dd58f03d45a5cde4154b135f801812252bd239e234fe2dcd92545677bef70a6a1a5c45035bd286e7399832
-
Filesize
1.2MB
MD5959bfe425d6c45ce99349a3b7978af0b
SHA12cac49fec0a5f76b909a2782a688992d9651cd3a
SHA256d0aac24a64dc4345bcc829ad2f2b509a56f5825ca57971995e0ef18b04812d1f
SHA5127eeea7e9ea45aa84ac1e69e8e8b54145a15f4b341ae13a379d7c2549f7420cd5f12ad27647ecce614ea3c9dc8f10452897795fb453004d2610ad033166307952
-
Filesize
1.3MB
MD515c7919d587d1b37842e2d6607035bdb
SHA1e00ff9e8d1a8f854feb4bd1859f73e0e9aaec923
SHA25642792d2abfbcaf74b0494bebcebad705f8370bcb9bdfb1639a40dbea9d7d8968
SHA512aacd62b85d569b85f6d93d0f473f1622e2b7b61970585b08413c5ba91088fd8c6f7f3a57a23a2aa0ad72e39010f4bd8dd1cdd9d1a747f0659601195c09705a30
-
Filesize
1.4MB
MD596b5ce3ad00f3c33c978d6baa0296ddc
SHA160ef74a4c2f1ecf5c8fab0b466679c1350b9ab12
SHA25616904731c8f852d69ab50fe8ad69e7aa35261019cf4e28fc31621db52fce3f18
SHA512f067cbf47ff91a7eae5c93de78d4a87955cdf8384d3a20215c4ad51dd58fcd989bf2f3988071b3854b4476e47fbf49d3e72ac06f57b69f1b2d0661d21f408a18
-
Filesize
2.1MB
MD58e96cbff95fbafa748ae27d723517be9
SHA1078e53d2e6702a939931b628aad42bab0f8c640e
SHA256a86391753a7cf544041915967378b7dafe2c3e84aef1dbc0441bb60b81e68403
SHA5121aeca7561091c22feb0f6f9a7a3e540af639f5323aba6676aa3e58921f587230c405b93f5ddb7c51bc4f2b7a8c4ac57714632b5ee93f67c7c150da81ca64b3ea