blustealer | 6bd883240fc97aff61fdafa84f6b28ac22849b0097dc80c3a4cfa75611cf14b6

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2023, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 16 IoCs

pid	Process
2672	alg.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
1848	fxssvc.exe
5016	elevation_service.exe
1528	elevation_service.exe
3020	maintenanceservice.exe
1764	msdtc.exe
924	OSE.EXE
5076	PerceptionSimulationService.exe
440	locator.exe
3972	snmptrap.exe
1300	ssh-agent.exe
2236	AgentService.exe
4676	vssvc.exe
4320	WmiApSrv.exe
1324	SearchIndexer.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94ebc12fea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 224	1300	Purchase Order.exe	85
PID 224 set thread context of 1048	224	Purchase Order.exe	89

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	Purchase Order.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeRestorePrivilege	1492	TieringEngineService.exe
Token: SeManageVolumePrivilege	1492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2236	AgentService.exe
Token: SeBackupPrivilege	4676	vssvc.exe
Token: SeRestorePrivilege	4676	vssvc.exe
Token: SeAuditPrivilege	4676	vssvc.exe
Token: SeBackupPrivilege	4928	wbengine.exe
Token: SeRestorePrivilege	4928	wbengine.exe
Token: SeSecurityPrivilege	4928	wbengine.exe
Token: 33	1324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1324	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
224	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 1300 wrote to memory of 224	1300	Purchase Order.exe	85
PID 224 wrote to memory of 1048	224	Purchase Order.exe	89
PID 224 wrote to memory of 1048	224	Purchase Order.exe	89
PID 224 wrote to memory of 1048	224	Purchase Order.exe	89
PID 224 wrote to memory of 1048	224	Purchase Order.exe	89
PID 224 wrote to memory of 1048	224	Purchase Order.exe	89
PID 1324 wrote to memory of 2592	1324	SearchIndexer.exe	116
PID 1324 wrote to memory of 2592	1324	SearchIndexer.exe	116
PID 1324 wrote to memory of 3924	1324	SearchIndexer.exe	117
PID 1324 wrote to memory of 3924	1324	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:692

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:4444

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0a3fe3ad4e3e08aacc380a6180d181fd

SHA1
2c0c4ac5bd94030e70bea26e52d16cf24d846095

SHA256
bc3efdfd38689c0ecc6807680bff09068ae04545723e0f9192529c02c2b9d29a

SHA512
8ed3e868fb11ce0cd9ff64d091aa93dd2d7f6e30bef0344b7c6314a39d494e021d13b7d6d95ea6e9432a575d58f92334f23dddcb8b247464d8a07ad534a56fa1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
da493f0cbd6194122ab08f74063b5862

SHA1
a97733baafe7506f60505cb02394622323a1f05a

SHA256
bcd2efffd9531369ed81300a2cfec24c16232bca2c5fe8049e14134d661f6388

SHA512
c09f8371992175112899248a4771abf1ea1aeccb7edb5a8a88f58291919da429d72603d8c98644c5c5bfb7a3f0db55aa23d3e4e36e0f1eff3f24a1d7cb9cf71b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1b45e805b193c80b22cbdc778dde9964

SHA1
d728752eaa7a95dbd325ef789afdf3e751d20a54

SHA256
257671e5cc2ce8c6eac55d780ac1f66bf8d3c50a2f021d6229fe70ced5037f27

SHA512
bf79d907e7c4837a21e434c223bb38380a66bc6e1372e030f8e2c0804f291d2d68c08e343829ce2d82950b413589b43aefed42bec2586e740be9f2e5332e2c8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4fb3827ca10da3bed2084685cd777e3f

SHA1
44f5b748a732a2d694d16aacf75e04e22b130bac

SHA256
87d7e5e8a7bdeac4d6721124e05d85c4a175431c758afc55a93f6a7d8ea395f8

SHA512
c72ea4435909fe47f37dcc116d6f3708edcaf14da5fe1e62a841a1cdabb204a8b888649845faca3121d832e7dad15f9965e2e15f2122e764432b793545ed0fed

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
57f4e31ff916ae8901cfe79a19abed19

SHA1
8b7b10e5d0af06291b2a572f72e6cf66b6284885

SHA256
c53b9e61997fac3fca5c19b7ecd24562d6d50e0239b37efebb1da6973c5ee520

SHA512
7ff61b3383bb95be0c7ccc8edbc7db2115888068bac39187dc62ad97e93791bc107961f2e4b4a5613f31b7acc3a4103c52a2bcb5c790cb24a776455ab0de0984

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
40caaa75f1c5d31a6d15450129d6892f

SHA1
8f45df27f72ab207137331b9f464b313f1efdce7

SHA256
4dd3280fc4a74726b5be21631b9902f93586a2a3b54787464669bfe8fd12b895

SHA512
f936fbd7bd700458358eba31b0fe193817455c1b27672970f0f5d74ac0c72eb5e5e60a83a6c6c492543b50b3d0da3477e737fbd9e56d2e3aec50ba7ef0503d41

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b4840ba8e6fb69a0629d490f69a10450

SHA1
36dc9f2b00220bae912ee7dfe22657eea087ce04

SHA256
095c0044cfc4b293d8e590552a2d070a1eb266571b37e8f080f3b35ac28656e2

SHA512
50f489bc67ae031eb0140507100c636699c5b64f414ca25129746f11babaf4847f34a4d9400fcdf27bcbdadcb3c5c85db5c6f1e8188eedf243c7db63a713d85b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d58c5ea86b53cef9b1d07e721d0fa2f1

SHA1
5508334e78c6bcb2a370ff9cb1eb7f46464e2561

SHA256
0d9c59687d17ea3c5cb4d4796d84749e2257cf4e143412cde31b199abae15b25

SHA512
e111bcf3670a9e958b4965322bf92a18897cd34882229acdc5a7635a7c24d042bc33015f926757c9ae5b96afc26c499ff480579f50dabd97966c03e14ff024ae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2444b6298bb9fad62bcd61732788288d

SHA1
022212c336cce33cbacec8916630e620e47895f7

SHA256
94f1ffc8800447958839b776f851fa633a7ba7c97bf5d8d6a94368f4daab9b61

SHA512
2fe731984062798ed9f7b886c7bc0074894a31e93040f173c1c91207a19733ce68b587ebee9c41339132772402d7f76a857717e492f9a831e24e0120704b989f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2444b6298bb9fad62bcd61732788288d

SHA1
022212c336cce33cbacec8916630e620e47895f7

SHA256
94f1ffc8800447958839b776f851fa633a7ba7c97bf5d8d6a94368f4daab9b61

SHA512
2fe731984062798ed9f7b886c7bc0074894a31e93040f173c1c91207a19733ce68b587ebee9c41339132772402d7f76a857717e492f9a831e24e0120704b989f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9013d3aa4c7fac5725814ea6af87017f

SHA1
e029d3b3fa05714b92736553555f5a922b479b4f

SHA256
e26563acf48171329312e42d95fe9044a315f3cb74e185fa8c11f72d62814bb7

SHA512
65cd4ebff60d3d285b4fa4dd000a47a4e43ffac95ae2279a248a0757e4348ce29e1d56cafbe3d52ce853a3bc60de3855f221a28ab76dd64a8136cd4319a55e58

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8ae5ec8bc30e5ba60bb2396103ff12bd

SHA1
52fea07412315efc38f129f0dde535961770aec6

SHA256
a18500bbfc03880cc15833eba41a80dcb266a8ff6d5eeb713103ed0ecb21962a

SHA512
540100ac7303cae99a96477148da55ed92d8482a2182cc7bcc1370744bf1b872af8fde797d562ae82267fc7c1c35804557a8c39bfcb9b820aa90f89d7754e36e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1abf03cb7cac969f1f80cb758f20e2f8

SHA1
97af21795ed4687a68364c0532e3298e44e1324b

SHA256
3883379cacfa872bbb7cbaf71ccbb99941ae5585c1a4ada1fe3a2edd97d11f2a

SHA512
5d20d4e3fc2545929c0e1f567563dea5ba0b4592ad9ad2c0f803f35fe8eb4488e510b5a5e0f0f4057a1b9a9c4bb992ff1ad9441f58cc6ed815f312ca5f4de628

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
163cea98d02dc7a3c21c32b920956c53

SHA1
969a0d0e483aed68a1bc6e989c3cda2c92ae0c84

SHA256
58f51136dd1c31906596fd1fa22e3d85d743eeff4b85c55d3817f5c87a4bbde6

SHA512
c12a6a0c339a06a380496aabc4f47c4acdd5e6575ea3b0a72a914bf93b41eb100b93fdca4877ec3e1671ddb168fe56a87527df0e2457d80c87ebb08f7fed6062

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7251db4465fbcca8b03ee37177c90909

SHA1
1fe7134cdd1a08a415e208fb9d8d36d1d107e9f0

SHA256
921a4caf33e45688d61ac82686e003a057838249d91f4b856eab0ea3bb0e8f57

SHA512
a9a72f1691803b2caafadd342b3c7e65cf977176cda33beb2712afa35cbcbbdc2304fe00d46d091bf5a0cabf3faa60dc4c135441a180e98231ddebaaa7d77457

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
af12d105a1943270f701cf79aca1424e

SHA1
e02c00747fce3b0cd9fc4fc1061be444fa552a8c

SHA256
801ec8d1de4cc40f19f7b56ac53fef464ce278561f9ce70372f59ede55623ad9

SHA512
e3f07add0b46c43c8ce79b7208b08961eba3405fe47b51b1873812b5966ddd0dc4ec216e63795b197d797a373bd54911a8ae93088a34c90c8a49447baeb6f079

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
eacee3a6e5561e68dfce32234b065321

SHA1
acb3082408861850b7e7796317d4f5e1b5dd6dfe

SHA256
def71f6ae82d7a16f33511d27010dddfc136bd2c1af5fb0237e47035c8d64f60

SHA512
6d02ff859ac222a3e9486f0779598b22ad725eabecea36a385b4e1095b272a2552ad47c5f70c0469b437dcb78ec10111a821dfe5c27245b4136b7a26928f50b3

Download Submit
memory/224-149-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/224-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/224-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/224-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/224-243-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/224-144-0x00000000030E0000-0x0000000003146000-memory.dmp

Filesize
408KB

Download
memory/440-306-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/924-299-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1048-181-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1048-175-0x0000000000960000-0x00000000009C6000-memory.dmp

Filesize
408KB

Download
memory/1300-327-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1300-136-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/1300-133-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1300-134-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/1300-139-0x0000000006E30000-0x0000000006ECC000-memory.dmp

Filesize
624KB

Download
memory/1300-135-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/1300-137-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1300-138-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1324-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1324-400-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1492-358-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1528-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1528-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1528-208-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1528-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1764-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1764-234-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1764-249-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1848-183-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1848-246-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-189-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1848-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-192-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1944-170-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1944-180-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1944-177-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2236-351-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2672-157-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2672-162-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2672-164-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/2672-244-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2968-304-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3020-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3020-219-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3020-228-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3020-225-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3972-309-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3972-438-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4320-389-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4320-453-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4444-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4444-439-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-450-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-359-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-451-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4676-374-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4928-377-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4928-452-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5016-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5016-198-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/5016-204-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/5016-247-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5076-301-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads