blustealer | 07d820312855a56e9165f5986195914a6c5986f8d185eac057f8d2b15a5ce9b2

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Size

1.5MB
MD5

ebf99fc11603d1ec4706b4330761df32
SHA1

c560ca5ae10593d7861701654d839d1071515866
SHA256

693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb
SHA512

d31c699f201343bd02c07bbf5d41e00df8368b81bfbb1d037fb4b1e1894fd3b8232e80b065845745fa6dab7f23d47efbb1d8b6a9143f5b7db0fb4a57395c4f4a
SSDEEP

49152:NQh9Nn3uFcWIY2YZGIUtNlMpovD2i9c2:0/37Wp2YPUtNlMG7N

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1688	alg.exe
2404	DiagnosticsHub.StandardCollector.Service.exe
3908	fxssvc.exe
4672	elevation_service.exe
852	elevation_service.exe
3012	maintenanceservice.exe
3532	msdtc.exe
4716	OSE.EXE
4092	PerceptionSimulationService.exe
1392	perfhost.exe
3616	locator.exe
5080	SensorDataService.exe
2840	snmptrap.exe
3240	spectrum.exe
372	ssh-agent.exe
4244	TieringEngineService.exe
2656	AgentService.exe
2876	vds.exe
1136	vssvc.exe
3108	wbengine.exe
4800	WmiApSrv.exe
4180	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2cbc8d84c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\vds.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\alg.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\locator.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 3788 set thread context of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eafbd0398980d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005839ad398980d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f85da398980d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1d0cf3d8980d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cea8433a8980d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdde5b3c8980d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc793d3e8980d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028ea90368980d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Token: SeAuditPrivilege	3908	SearchProtocolHost.exe
Token: SeRestorePrivilege	4244	TieringEngineService.exe
Token: SeManageVolumePrivilege	4244	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2656	AgentService.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe
Token: SeBackupPrivilege	3108	wbengine.exe
Token: SeRestorePrivilege	3108	wbengine.exe
Token: SeSecurityPrivilege	3108	wbengine.exe
Token: 33	4180	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4180	SearchIndexer.exe
Token: SeDebugPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Token: SeDebugPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Token: SeDebugPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Token: SeDebugPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
Token: SeDebugPrivilege	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 1368 wrote to memory of 3788	1368	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	91
PID 3788 wrote to memory of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118
PID 3788 wrote to memory of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118
PID 3788 wrote to memory of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118
PID 3788 wrote to memory of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118
PID 3788 wrote to memory of 1412	3788	693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe	118
PID 4180 wrote to memory of 3908	4180	SearchIndexer.exe	119
PID 4180 wrote to memory of 3908	4180	SearchIndexer.exe	119
PID 4180 wrote to memory of 844	4180	SearchIndexer.exe	120
PID 4180 wrote to memory of 844	4180	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
"C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe
  "C:\Users\Admin\AppData\Local\Temp\693c258cb5620f7e8714d4afc7215e2c7dc16872265148341db23b639906eecb.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3240

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
89726ddd06ac565ceddef5c62ca988fd

SHA1
3017de38a75f6596c83448a7f15e2f98ac178ecb

SHA256
753ba29d08bc93a0c9721502c961d2442418637234395163a82692d9a704036c

SHA512
5ac2b97748ae528ace3ad5cbdeeb183e0a40a3c68797243ac011bb60a34475cb17b9eafdf77a1e7310c34aee4c1d72936997fc3c1d4c5f6334eb24b6cb4ba8c0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
61eb4a73d6743dea557e699d51414f70

SHA1
ac2bc6fb938df956aaaf3edc22731c78cfb22a0f

SHA256
7f1dc2cf3d8ceb9481d0b8f7c03451651cd6b06060b29f0ff28dffb4c4cb0215

SHA512
397927ae5b100c4c417afd71b72aaf7ff31a1bf914d30b89efa3b498e7b3c14d216e18b2aadd9f0306e7518e62e0eb5c597707ee1769c8ac99dc483222bcb439

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
058368b70fa22f109aea73704e39d1f1

SHA1
05d51112c71e2e1b7c890b5ba2563e1ec7f446bd

SHA256
dd584adf2c4fff643c3b00e9d3753471db5999286cde62df410632caf12a2246

SHA512
40a7e7c608b5c66b3eecf2e7575360767564f0304c89adeb426db5c1ad8695bc25e30cfdc46ce9f4307cb6c7d1deadc1e427cbeb7b884c3754322d127552c515

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9307c2d7c0f4d5c1650ed0d081fb5260

SHA1
dbfb8eedf298fa2f5d721dc473b79673bf57e037

SHA256
cfc9c4094cc673373741f4dd90dc8d56b4f1e18f6ac62c41c2f1b0a97d9752ba

SHA512
bc34f616930692c6610171f392c4048f445591e3bdcce81ccdda2f847bfb36c7d55ccdd78566d46534c47fd3a1c3f410eaefd060a8b835a8ee49c55fb68f3d7a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
954c88c182c9f565391cd03df72e298b

SHA1
6d9720586d8650ba44eeea8768ad8f7f3bb4d93b

SHA256
e7932f7cfede5240e7fc4c367dc8f194cf48d693adcdee44365d88b86aef2be4

SHA512
0263dde903eeaac2c354bf449bc8828e17faa9d32917895a1c3db0da5d2527747a1543efb3a41251e743936a9b59616f34c9cd60aa7f3b32220d1426cfb2ebae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5c00675ee7b01950a2d0358022ee7110

SHA1
9e1c1d0675bd53f12be1a7d74cf4253b75a62cfe

SHA256
b4996e8a7da74f1a1c619324a3a663419f45ff575b86251e3047514779d976f6

SHA512
d75a7992fdc7fe67c7d4a35c7b8943764fc561ae97697cb7592da9fc9fb299ce3f5ee843deaa86b2d5116cfe82e8b7c5c32378c22e44c251b1328afa48cf06a5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0b081c2d0f70d2c2847c607436d1aae2

SHA1
690001ea9eb021acacebd435b5e20953e7a3dd1f

SHA256
1789c25c8806aa480709857f6cc5f98c918b4e27bc55011f783a1b032e8b7ff0

SHA512
db710c7016e9067c9a60f8502afc00d645319cc13b359f04aad88b2c73ac28e7dfb0df562c96037270df98d8b5bd598619de1ec3a5765a32cb93f940acc60c3d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f0a6058a972b7c37da094a35e5d5835d

SHA1
b7ddae63c42a07acc41a3aae159f400eaad57c85

SHA256
40fbdd070b5f9529c7b192831a284032f96e2ae02d755436441e51ea4b597cc4

SHA512
09a2988d2ff582b3fb6bd143e6733c58fefd501780d2a61f785bf0c2f055280c309f521233d5f8b1827d726c8a27a4d95c464ae97642e3ee0ad9203ba82cceb9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f7bab4c23beb71bc333bc7db132f377d

SHA1
112f141cb12378a55de106662b84c2c0eff5d2e7

SHA256
6325f5ba08e1444261a3f7ba69006b9144d760b0da38028eae5108c940ca850e

SHA512
3f1cc64e588a6d42e8ad0d209ec831144cf5ee26a861790fe45ff9e25586e78c9bacda47e1cd31e41ca7857c9dd787352ef185dde373c97f416f73569374fb6c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bbb91f1807de29ec2a41d4e19333d577

SHA1
b8201015b54e4103844008c6f1973cd11d56dd0a

SHA256
b6d21ce9eab6c5f5f7777fd1682d917341b187723fb5e96ef9c56ffcd7c97b83

SHA512
ebfca958293ec6bc7f408a2aa33866248aaf1ef14566f68d72fe7cfc9bb0323a70e05b28b8ef2dfa907f3eea4db294c51d7ef7698834caa30d0c411ddbaed363

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
bbb91f1807de29ec2a41d4e19333d577

SHA1
b8201015b54e4103844008c6f1973cd11d56dd0a

SHA256
b6d21ce9eab6c5f5f7777fd1682d917341b187723fb5e96ef9c56ffcd7c97b83

SHA512
ebfca958293ec6bc7f408a2aa33866248aaf1ef14566f68d72fe7cfc9bb0323a70e05b28b8ef2dfa907f3eea4db294c51d7ef7698834caa30d0c411ddbaed363

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9632b8cdb404e5fd61bf07966eff0a6e

SHA1
1a769e1f8a814c2e66149ddbcfcf8d9d357cd0ae

SHA256
4dc506bcc876b2cf773ac61ab70ab607ad21db453c6070a9ce21f3a90fafab38

SHA512
c67f127377dfdc7993fcfd30c8bab66beca2527a81d8bde44b10caa2ffd185c30d73bc9a79b7e5349dfe9fce165e0dbb712c738dc60c2b3317059a44152d8465

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
89c6b91ec67ec247e178b8c3a913b05e

SHA1
7018a44d3a57e0b473ae27b5957f1e991e77f3f5

SHA256
8f7697dfda0213c6398dc17103c04d6cdbaf8ff42260dc1fec51ebf4df1155f0

SHA512
c4bed42d8490af03aae98993386e7817428231792e97163483bb12040844e6fec27a02e4f4a2e0e3ff2ba36862d70e81209615ff2243d42b566c931f3d18a677

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d4f2c250c44532a7126e2d53e264c7c3

SHA1
45122637335b95319eeb6ab25d4731ee9f594bb8

SHA256
bcf2a831c76364f8e07d84afbd1389e1380d4a77b753dd4ec762e5aba765e394

SHA512
28bcc8239b0cda073ddd47d0e0689576e95ba7807586913e66a81331c80e955f5c1df52dc4547f1b401d9b11332f43d54405afa898dd4fb2aa0eeed9086cc396

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
95cdf4e0f75cd043ef6e29d65bfc9d02

SHA1
339bab792d4ac6fb3fa62748211422c46437a602

SHA256
dc00545887be56136bcd9e382a7887d102de44442c2e24361703e7e660c18782

SHA512
d1987e04703a052fac5042804599bc2ca9935643183ce44423daadedbcb3a4aa79654a64d39ffb042ab1660426a3f8bb2dc1d1870c19a3fe96ec52e02463f6e9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
791065b0a870fde9dcb91c25c135e591

SHA1
5cec1a53d95c443cbfff58fde14f5fb37bb1afc3

SHA256
0bf3de6ee3b82b7ab72552623dbf34e15d90e3955c032548e7b0b0b34e0ecce8

SHA512
7ca707e512b6e148d655028d4b3286754300c044fc35b21678471c569a5fde2998a439eadf784cb8d037a669a9d80aacb511f0c0baeeea14cc44bae62cd359ed

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2b8826f3e4790f6c82a4abcb76a9134a

SHA1
2e73e3a4890cd1622ca16233a2b7a89990f8e21f

SHA256
c49cbd35bb4198e94b3d06723f19081bcd888ec8c3e4376541bd2e807290c0d3

SHA512
7eaaf61e94e458ccea7c45e8e56e1bde9d0aad2a11e4fb221f62f336593afa6deb913d91b6de5f15cbcfd64867b30d78c336e6891a89ed3b956624f79fa89920

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
819917556a54584fd06c91cb33d5db86

SHA1
897b473aee8fdfd9697e5954a85a48453d106024

SHA256
d232fc10a2f80514665fce5a983e982a2d7b3365d8003a90a7f4bac6867759c6

SHA512
4b4781e7e92fe7c9789143f5ba0c771f77073b299dda740073fd69562b313a9f55cfd370f8979afdf293646db52dd96f13dffbd842be2b35d82e57c5018f9647

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e904fe71e9101d1f17282eaba313eee2

SHA1
6460d9a4bfdd0b5c11cd6534c4f5c1e69f38c540

SHA256
79b9eab6a919c42c3f221d606b227859d3b76dbc9bdd9acf0aea6fdeb32e0aac

SHA512
a7333691246f7e22e4a7e1a4db42e3f66e04b6f23fc6dcb14cda6fe4d001a864b283335a27cf6008edb9e0f179b544a5cfa4680049072142415e2d63faa5e225

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b3c3b4c7eec6cc06c4f0a8630e5bc5a7

SHA1
acc7d590672a4dd7686d3a5b4ea89725fe4b2fda

SHA256
7b7c30dda5c5d202c4334e2c3863a0f883df08a912dd114bc867e3410c82fd08

SHA512
d828cdbfa65275b4ec92ea59873c6a13c16a9e11bfaaadcda6773255db71f5df22ffa8651c02790b06d04e7b16a5596fbe6851aaaf6065f19cafe313628337b4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8db0fd96e8ec8979e3912ed4485e964d

SHA1
0d071cebca103a1f24d082de337417ba5c3360b6

SHA256
5aa64648ae943d4d44431844e79778b199cf4f00a3d755acfb5f62ff3d46002b

SHA512
94af7d8646d951de554fb97903857c8db2a6d9022dfebd5fa6f87e463022e79515160f709689f9cf091a8156969ad937a1c9b2fdd2c3998179fcd49e44c7fae5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9b022a2f8f01897ba9d9f3258ad2191d

SHA1
483e04f06f640dcdf348cdd733cca860958c4fd0

SHA256
bfcbcc987411bc465cd2d6275f71ceceba757f6d1ac8034aa79dfdc0a6ad2f23

SHA512
2e91bb2608f02e37aa5202d059df58ba30adf2962ffd3e626ff0bfbd94163065a849b2416180536d96938d3a03f04bc01ac5833c017fd80cdaa7876de633a6a0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4aa2cbc21511757573671ece78dcd5ee

SHA1
392812f5cdeb72a922b0ea72e66c0e6300c400a3

SHA256
a8f1f85716fdf6a4f8d271ee017201d0ae4344e906b14c555f32087053a377e9

SHA512
f294f533eb30662f43a3979ed8c772afccc692144bd4057e08eaa8ccff5b11f040b2ea4d57f45d28c4e7d2a6249f92ce994b61afa82fa7894d7df16e9959fb8e

Download Submit
memory/372-545-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/372-331-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/844-740-0x000002B9DE1B0000-0x000002B9DE1C0000-memory.dmp

Filesize
64KB

Download
memory/844-739-0x000002B9DE140000-0x000002B9DE141000-memory.dmp

Filesize
4KB

Download
memory/844-705-0x000002B9DE1B0000-0x000002B9DE1B2000-memory.dmp

Filesize
8KB

Download
memory/844-656-0x000002B9DE1B0000-0x000002B9DE1C0000-memory.dmp

Filesize
64KB

Download
memory/844-654-0x000002B9DDF70000-0x000002B9DDF80000-memory.dmp

Filesize
64KB

Download
memory/844-655-0x000002B9DE140000-0x000002B9DE141000-memory.dmp

Filesize
4KB

Download
memory/852-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/852-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/852-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/852-408-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1136-567-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1136-374-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1368-134-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/1368-137-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1368-135-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/1368-133-0x0000000000310000-0x000000000049A000-memory.dmp

Filesize
1.5MB

Download
memory/1368-139-0x00000000070E0000-0x000000000717C000-memory.dmp

Filesize
624KB

Download
memory/1368-136-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/1368-138-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1392-269-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1392-472-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1412-469-0x0000000001310000-0x0000000001376000-memory.dmp

Filesize
408KB

Download
memory/1412-474-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/1688-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1688-156-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1688-350-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1688-164-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2404-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2404-176-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2404-170-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2656-355-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2656-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2840-312-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2876-377-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3012-216-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/3012-222-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/3012-225-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/3012-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3108-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3240-509-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3240-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-428-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3532-235-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3532-230-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3616-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3788-144-0x0000000003890000-0x00000000038F6000-memory.dmp

Filesize
408KB

Download
memory/3788-149-0x0000000003890000-0x00000000038F6000-memory.dmp

Filesize
408KB

Download
memory/3788-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3788-161-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3788-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3908-187-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3908-190-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3908-192-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3908-181-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4092-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4180-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4180-409-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4244-353-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4672-201-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4672-399-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4672-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4672-194-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4716-453-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4716-250-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4800-584-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4800-403-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5080-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-463-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download