blustealer | d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7

Analysis

max time kernel
167s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseOrder202319876.exe
Size

1.5MB
MD5

a838a2013c038b3a5039cb9abb199922
SHA1

6a315d36c940cd95359cd4ef46c5688352a22a42
SHA256

d4f62b8520f3f0e84b19769be0f7bcdc20e41af8cea048261f3e37c0428b22d7
SHA512

8b80c742b598d0df74e5d7b57e5ceb386d74531572a41b02614651ef9f914367e00ef23c12548f9009500af8ca9d6085406d417fc405f6ca528222a77ea83cbe
SSDEEP

24576:Bq3UElwshsKgvyH1kz7iQ2Py9so+4XfbqQtTpSrwCDCSD85vvOn2rRAJdqfcd7AH:Q3UElf6Lk1y7iSFd5BvWn2WJdyk8P

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
228	alg.exe
4748	DiagnosticsHub.StandardCollector.Service.exe
1808	fxssvc.exe
1404	elevation_service.exe
2748	elevation_service.exe
4584	maintenanceservice.exe
4272	msdtc.exe
2228	OSE.EXE
4624	PerceptionSimulationService.exe
5076	perfhost.exe
3480	locator.exe
4788	SensorDataService.exe
4628	snmptrap.exe
4504	spectrum.exe
1488	ssh-agent.exe
2920	TieringEngineService.exe
4000	AgentService.exe
4164	vds.exe
4820	vssvc.exe
4388	wbengine.exe
2236	WmiApSrv.exe
744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c7736cfd50d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	PurchaseOrder202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 2728	4680	PurchaseOrder202319876.exe	83
PID 2728 set thread context of 4652	2728	PurchaseOrder202319876.exe	86

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0BAA8BD4-90AF-4FCB-B1A3-821C23211F59}\chrome_installer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	PurchaseOrder202319876.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac4fd456b77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5d3b355b77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfce2153b77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f01c1f56b77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2728	PurchaseOrder202319876.exe
Token: SeAuditPrivilege	1808	fxssvc.exe
Token: SeRestorePrivilege	2920	TieringEngineService.exe
Token: SeManageVolumePrivilege	2920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4000	AgentService.exe
Token: SeBackupPrivilege	4820	vssvc.exe
Token: SeRestorePrivilege	4820	vssvc.exe
Token: SeAuditPrivilege	4820	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	PurchaseOrder202319876.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 4680 wrote to memory of 2728	4680	PurchaseOrder202319876.exe	83
PID 2728 wrote to memory of 4652	2728	PurchaseOrder202319876.exe	86
PID 2728 wrote to memory of 4652	2728	PurchaseOrder202319876.exe	86
PID 2728 wrote to memory of 4652	2728	PurchaseOrder202319876.exe	86
PID 2728 wrote to memory of 4652	2728	PurchaseOrder202319876.exe	86
PID 2728 wrote to memory of 4652	2728	PurchaseOrder202319876.exe	86
PID 744 wrote to memory of 4108	744	SearchIndexer.exe	117
PID 744 wrote to memory of 4108	744	SearchIndexer.exe	117
PID 744 wrote to memory of 1240	744	SearchIndexer.exe	118
PID 744 wrote to memory of 1240	744	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe
"C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
af70ad8517db58a635d96498ee6be939

SHA1
6d20940f1b205ab62e78f66eaeaf66a6cbc43724

SHA256
a9ea5735f3f3989eb7a1c3daa7c5f994e3a0898d8d2e70a3d2a859a57c175440

SHA512
99ef51afccee6c8086b7258933b6b016037bf928174086e2c9b289da83fae5a1165d8a03686ad97bea5bc3538fda28b6931b37ab3767ccf93ddda77fcce58a1f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fa4debc8640b01debcd76c9571da0f6a

SHA1
cadcaec0ea2418f8e3cf487fdafccd4860233312

SHA256
1e10cbf5ba59869e9232331ff0ce45b8af8bceb5aab1e0cce19b0f91d38091fe

SHA512
90e6953dbb0675d98d37d1032d894db144ee140ad7a2c68dc390ef970df11a978884232a0ba37aa1e7dd368a1b5865beb4abf4f5b189e25f043f96e6e92c358d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
c64f81a7167e720ead6758b9087a3d3f

SHA1
edf884a69495ade08e11140224c5d66e7f3ff1b8

SHA256
a39cd850cfa082824ff4771fdaee2a31c9b734e2942d6e021648a9f87b62d8ff

SHA512
3b53f3c2faf80840566acf3a5fc4211e2398b2de93b9d564867c5abd9f5c2ece2fcd3e8f781435d06d4b30fb5bc84cb5580b2a71b5b2513924af3e7d923e2b93

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
285841abf90491f00912250d26df1593

SHA1
ac66749c579e3bf79edd21b8d065e649e66c544a

SHA256
6991cac22a2e99ad6f57651ec07796250205f0fab2809e16044ef933e0c9f065

SHA512
381ba56822c146ae90db38508c2ce1da78d5196dc6c9828b520b8f106991546e377e49c2f7d3fc3c1e5f307301ac6e9d9338d8231e53cbe070bbdcf04eeaa4a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6f8ba0d78e8d01e2396d63f1739e8591

SHA1
e1f19fdcb799d3d902d6ccac63c6dae2216059d1

SHA256
9684d645b0075fdc057d8e777656f372a4b49a0bfc6d0cfea640e420b7f80294

SHA512
3f851e3e37a97f1d3016940ede2e8ad2a61112121dee3f52c2e12c4daeec3cfc7f794829d1220015bc70ccb76d4c74469b4de79806a4ff1d6e46576e46422406

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0311cb4c6907b68319df25ca5abac30

SHA1
9466d0dc9748dc1ec49d2c898e8191e5e3b85abf

SHA256
3e9278619f34161521239ba925bb3dd30a12ce7e8624b8e07559404b276e6973

SHA512
1c89c255a8d7f40a51039395086c8bd0b8601ba3b39145c65c2b73ddbd35051fc7d830e2577d8ab9749991cc86e1ad9909c16cad247d15ffd837aab36a6db767

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5e33b577393845cd5f25783232862c65

SHA1
c9db07315063c99ef78d832d41adaedc0f1ef0e8

SHA256
90faf4ed01d33aebef9c0362e50b22106c8748ba721e7bfb2e36dc899ffec379

SHA512
ebfce0f92e232ef5e29744825276d345b0398d6ffbd00274d523d5879fa82a462297f2a3a8462e48a7a7c1296f9494c62a3373994d0f95cf010cf364c92cc61c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2a583cbd0e9d9c6e76f0a4f04487f5e0

SHA1
c605e25700e4bb95ee137a1b5eb367c182fd307c

SHA256
7ddfa0fd95b77236c12773ac90dd978157050075318f9cdafc4d0fb62362f23b

SHA512
fc5f400fc0bed59d831e8f30933c2710872854a96b849956d6deaccf1d575ab1b93a0dda002870c2bdb026b4d1c020cba55f03f5e5f3e5182a20708f38a5fa39

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3bb12b7e63daaf2bc1ea6537ff855f23

SHA1
491e7dd5d7f703abc023b941121a252694f5c854

SHA256
ad71bd4ea6da0e6b83f3766722148f77e82889e099c5104b0c8e59e88a636670

SHA512
eebf694c2816c5b7a739d0a5dc950d9c6633da1655cde32bd1694e600a8708da432a6bd7b9d9b3bc9cdae09318c190bd2feb747456bd3ca4c3ce86072b64660f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e6d97818c6dd0daf5ed0c46342ae123e

SHA1
6bd2485bc34354cca1c1d9d395fe265752364517

SHA256
421fdcc32626cbc847d9fcabd5c20d5f2cd8faf164149db0438ce5631df639aa

SHA512
8639a40a8c06550fe66e5310e09a92b0519aa85f28af8bdcff60300dced5d367b89a4a079b36462959d5b76577ca098901bbcd77a04057e2e80148431165107b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e6d97818c6dd0daf5ed0c46342ae123e

SHA1
6bd2485bc34354cca1c1d9d395fe265752364517

SHA256
421fdcc32626cbc847d9fcabd5c20d5f2cd8faf164149db0438ce5631df639aa

SHA512
8639a40a8c06550fe66e5310e09a92b0519aa85f28af8bdcff60300dced5d367b89a4a079b36462959d5b76577ca098901bbcd77a04057e2e80148431165107b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5bb0beb8ab4896622e6948b5b32ba1e1

SHA1
cb397868b1911d7334d7db09ae504d2b5d964a63

SHA256
17142b2e75b55200afc3e07a801a22164b3bc49e69c3ee30274d1baf27d35832

SHA512
63398cb6f991483e74b4e356af8f0bcd2810c35f1f27c3cee1d9a7055017ab01ec8e9b4b68e09cfe44b20100a6d0ad3d3ebd665f72674b0c82bd10a651647cb5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f789c9001d67d09ec2bcb75e8fadf503

SHA1
7878167253883e1cef83cf60700a59188b9f3092

SHA256
64a092e29a03847c8abcabf9f57729c083a87ad3f3e4c9155764b7dc5ffa3dd1

SHA512
61c2cfb1e8019aed7146179af3376a4810f3caa63addd1cde217d96a390b81d12ed5439f761bb418a4b3094d11ede8cbf045e1d466ba3da6eec86eb195504ba4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c3b61ff8efa9e30f773c1c2f00c50174

SHA1
ba5b35921de2bdf2168db5e07149eb3a4eb8aaf6

SHA256
7aeffb502e2c47c93e69297738a7b31d11754589ed9a4b14b7169e40b3ebe4f3

SHA512
bd3fd4006f8c0f364bfeabfbd9076683400464008c8483ccfd40ce671eef8fb628834e62de3ad9aed96d6e5732ebdfa323dcfe4ee61d1053aa904bb432c9b310

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b88aa4600d56bccdb64386036cacb927

SHA1
ab938f5094a277ed4f44179e4cb422b6e5a2b155

SHA256
b5f5d2d14b645c30cd92b67416efb6f68cb6f336f0ce8ff15d00816d17b06fc3

SHA512
ae781355860e3154cd2b253701a285a8bd711918be064cd55881476685d5f00109d013a1bed04a7e0691af1c4adac98188bac3dfa6b0c4bbf98370b8ecb19875

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
363ba3f32913b8aa485bc906f5090275

SHA1
7d3a55be236aef7ae80a839a846b1ac8a1a92d38

SHA256
b8be65cbdc61cb9ee23e7c537151dc54a7d03c5bf8dfcc18ec566e42f853da1d

SHA512
0f4eaa6d35b3362da4ce21bb21d43b29162d4784046b03d9cc3446ea70821729888c0f6106b3109e5f28019bf9779c2229046f519ce4317ec79c3dff5bef53a8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2995c5442ffb7b0ca516b313d8e40f7d

SHA1
a220786b394463771d576a1fce3c38a2c19d10d1

SHA256
ab889317dffce21724916231ff3d0ce672022b495b4b265b1a5852fe8c619053

SHA512
9f434d5cf757150b05fc507ca9da82ddf49189eeabe43c314b2f106e155fd796bf08a6061bb80b3315a05db351d4fe84fb897d5cd875177a74e0dbc68b7f8297

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
de10de836da2cb409fc37bfdac022bcd

SHA1
68bbf5b6d447f2127b2ed5e2b3b888411d121d85

SHA256
41eec6ee9d7d00e24187113422288eca1780ccaf9cce8279cca089716770ac0a

SHA512
4f45a2fb0191ccab2f14aae6433fddb877981dcf18199393d807902929d4039813fa6be6b7e5425f9265c0473d79ae682064d57790f07be92638900bb90966cf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4b7bcfb4997771c1971eb0761f6863f8

SHA1
4f820f128823d6252840f951fb045a2c657a21df

SHA256
0f6fcbb96b206a20f7b2d1fb02dd0db09ed3cfc25c5f9ba5fc615f538a12a6db

SHA512
9c53fbac111b43ef7ae966a71ed7056bb51b0549e512e6b380527b502631db604e1f0e01f98c8eb0b858f3dba9c96611cbfb4d9d35564d7e929ee4075ade281c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
98744cb50511558b737e33ba515969f9

SHA1
dbad43e424926ecddf666ec676c980d4beb9ac97

SHA256
cf6dbfac05a7e6d49e8fec862542bf99c0dc133d9e5824b7ba334b282288319c

SHA512
01fd3f107f741131d9255cb8cef7b40a4ab14f6e4194654794d04370a53c69f7cac0e27d36276cbb8da8697c8c3a5d76a92add53268761d4ded3d738b8cd9772

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c0c72779cfe7ea57561df72497ff6389

SHA1
ca1de6b2e90f30da838cee1f8b310b4089e56426

SHA256
2744d627167f6d5ddf68b1e38110f4403112413f5b0b4234538102bc5d4a7c93

SHA512
dff20648d4263037f0d5997f5202fef997a9bb48ee0ec238220d41abc328c120974cffd7b66eb3632d5b0a9c838f4b1f959ffee8b48083881c79bc94cad418e2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f23d2d3a5dd8231f3e49d3a80d48bb46

SHA1
06a71a806363eb08fc8b3052f0bd6a12fc026048

SHA256
7975222bd3d9b29083a40c464c3e028c2752a8cb27d01f5022bd14fa3dabf56f

SHA512
7154a339e509e85f69cdaff81b416e7256451daefecc292696a1bd3091836a6ece0355bf1ac86497d8c2c8cdca9d68c64a0ef85bb5323c68192a7f4eef06e7b8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
289ebe7062c246bb010674c15968d0fc

SHA1
7ed7c6f5bf161f118d8ecf6276a39edf3ffa20cd

SHA256
ad4fa6472fc7b8afaaa9f40f78d3d28e3478c88107c1c4383222481551f6f5a3

SHA512
cdc139330986061717d414dad1c0e030c85d9aa4585a8b0107f7b42db83e808627d34ce5a6301bd789b49f6e29f51354447a427e1a3d724308e684f3602ba0e9

Download Submit
memory/228-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/228-166-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/228-163-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/744-423-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/744-494-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1240-668-0x00000221D1650000-0x00000221D1651000-memory.dmp

Filesize
4KB

Download
memory/1240-667-0x00000221D1640000-0x00000221D1650000-memory.dmp

Filesize
64KB

Download
memory/1404-203-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1404-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1404-197-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1404-324-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1488-355-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1808-182-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1808-189-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1808-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1808-193-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1808-196-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2228-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2236-422-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2236-493-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2728-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2728-144-0x00000000029C0000-0x0000000002A26000-memory.dmp

Filesize
408KB

Download
memory/2728-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2728-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2728-149-0x00000000029C0000-0x0000000002A26000-memory.dmp

Filesize
408KB

Download
memory/2728-321-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2748-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2748-325-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2748-208-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2748-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2920-357-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3480-300-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4000-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4164-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4272-234-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4272-348-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4272-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4388-409-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4504-408-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4504-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-224-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4584-218-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4584-230-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4584-227-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4624-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4628-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4652-179-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/4680-136-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4680-137-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4680-133-0x0000000000690000-0x0000000000810000-memory.dmp

Filesize
1.5MB

Download
memory/4680-135-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4680-134-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4680-138-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4680-139-0x00000000096B0000-0x000000000974C000-memory.dmp

Filesize
624KB

Download
memory/4748-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4748-170-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4748-176-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4788-396-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4788-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4820-387-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4820-483-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-299-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads