Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
04aad27fda072629818afa8e15abb4d8.exe
Resource
win7-20240220-en
General
-
Target
04aad27fda072629818afa8e15abb4d8.exe
-
Size
5.5MB
-
MD5
04aad27fda072629818afa8e15abb4d8
-
SHA1
98b5433eb59605d5e097738702b96924a935b9a9
-
SHA256
253e5fa36738d1820d1eccd42811326a00d9fca65f8a1a6316d11e922436cb30
-
SHA512
ba26ac6c112599df139a8fe8f04a2d93dc2bb4532730864e400f7e02160d618a89b06596737a9bd43858b7cd702b68eb350a895ea4df954eb5a1af7e996d8d29
-
SSDEEP
49152:IEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGff:GAI5pAdVJn9tbnR1VgBVm6u6otnoq
Malware Config
Signatures
-
Executes dropped EXE 21 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exevds.exewbengine.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exepid process 2676 alg.exe 4848 DiagnosticsHub.StandardCollector.Service.exe 2228 fxssvc.exe 2704 elevation_service.exe 3080 elevation_service.exe 4248 maintenanceservice.exe 1996 msdtc.exe 3648 OSE.EXE 732 PerceptionSimulationService.exe 2072 perfhost.exe 3412 locator.exe 3160 SensorDataService.exe 1372 snmptrap.exe 3768 spectrum.exe 532 vds.exe 4868 wbengine.exe 5148 SearchIndexer.exe 6040 chrmstp.exe 5252 chrmstp.exe 5416 chrmstp.exe 5488 chrmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
04aad27fda072629818afa8e15abb4d8.exe04aad27fda072629818afa8e15abb4d8.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\vssvc.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\alg.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\456c1eca8beeeac9.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\snmptrap.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\dllhost.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\AgentService.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\fxssvc.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\msdtc.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\spectrum.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\vds.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\wbengine.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\AppVClient.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\msiexec.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\system32\locator.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\System32\SensorDataService.exe 04aad27fda072629818afa8e15abb4d8.exe -
Drops file in Program Files directory 64 IoCs
Processes:
04aad27fda072629818afa8e15abb4d8.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\7-Zip\7z.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe 04aad27fda072629818afa8e15abb4d8.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 04aad27fda072629818afa8e15abb4d8.exe -
Drops file in Windows directory 2 IoCs
Processes:
04aad27fda072629818afa8e15abb4d8.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 04aad27fda072629818afa8e15abb4d8.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a2120b61ab6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aa848b61ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b018dab61ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d90b1b61ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ea786b61ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6a8bb61ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b0d0db61ab6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ca767b61ab6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe -
Modifies registry class 1 IoCs
Processes:
chrmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 1464 chrome.exe 1464 chrome.exe 5548 chrome.exe 5548 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1464 chrome.exe 1464 chrome.exe 1464 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
04aad27fda072629818afa8e15abb4d8.exe04aad27fda072629818afa8e15abb4d8.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 1892 04aad27fda072629818afa8e15abb4d8.exe Token: SeTakeOwnershipPrivilege 4864 04aad27fda072629818afa8e15abb4d8.exe Token: SeAuditPrivilege 2228 fxssvc.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeRestorePrivilege 2536 TieringEngineService.exe Token: SeManageVolumePrivilege 2536 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1640 AgentService.exe Token: SeBackupPrivilege 2372 vssvc.exe Token: SeRestorePrivilege 2372 vssvc.exe Token: SeAuditPrivilege 2372 vssvc.exe Token: SeBackupPrivilege 4868 wbengine.exe Token: SeRestorePrivilege 4868 wbengine.exe Token: SeSecurityPrivilege 4868 wbengine.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: 33 5148 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5148 SearchIndexer.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe Token: SeShutdownPrivilege 1464 chrome.exe Token: SeCreatePagefilePrivilege 1464 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
chrome.exechrmstp.exepid process 1464 chrome.exe 1464 chrome.exe 1464 chrome.exe 5416 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04aad27fda072629818afa8e15abb4d8.exechrome.exedescription pid process target process PID 1892 wrote to memory of 4864 1892 04aad27fda072629818afa8e15abb4d8.exe 04aad27fda072629818afa8e15abb4d8.exe PID 1892 wrote to memory of 4864 1892 04aad27fda072629818afa8e15abb4d8.exe 04aad27fda072629818afa8e15abb4d8.exe PID 1892 wrote to memory of 1464 1892 04aad27fda072629818afa8e15abb4d8.exe chrome.exe PID 1892 wrote to memory of 1464 1892 04aad27fda072629818afa8e15abb4d8.exe chrome.exe PID 1464 wrote to memory of 468 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 468 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 3632 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 5020 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 5020 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe PID 1464 wrote to memory of 4052 1464 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04aad27fda072629818afa8e15abb4d8.exe"C:\Users\Admin\AppData\Local\Temp\04aad27fda072629818afa8e15abb4d8.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\04aad27fda072629818afa8e15abb4d8.exeC:\Users\Admin\AppData\Local\Temp\04aad27fda072629818afa8e15abb4d8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1f1cab58,0x7ffb1f1cab68,0x7ffb1f1cab783⤵PID:468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:23⤵PID:3632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:13⤵PID:60
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:13⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:13⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:2412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:5832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:5992
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:6040 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2ac,0x2a4,0x2a8,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
PID:5252
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5416 -
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
PID:5488
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:83⤵PID:5700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 --field-trial-handle=1908,i,11473193053713361312,2007788645273076543,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4836
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2704
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3080
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4248
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1996
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3648
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:732
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3412
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3160
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1372
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3768
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵PID:3660
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3128
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:532
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2204
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5148 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5956
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD50036d1b9fd01a4ab7cdec18c901118a6
SHA1f8d851d93f7c736572fd73b9bc4dbfc08b6cde57
SHA2560051f10a6fe923309e27487677b82bed3140cae245f0aae6a81d5696b3bee3e9
SHA5125f006d5fd387e45e9b91d85710f208f92b77082c18b99c0138398f0c579dac96fc6af2db12206026e867e157c6b78d046317ae86710a5d6cc4183c0e6fb9498c
-
Filesize
797KB
MD5448c6dd039fa7db2cb0123a4b429c6e2
SHA13596b59ae2dcd5526a6ccd0001f783a7c617f905
SHA256ba680564ff936f6b75f758620dda569ec31b20d6ff976e87e745b99d11359ba2
SHA512ea49929333f9ed70b80b77633bac303d9ede504797502ec2b2b4edadbedb20483df9d51b3df341afbbd8bc2fa8c8483310bfee3fa82a38bf91589aea107b657f
-
Filesize
805KB
MD55a3f30e2f44d79420a17275f2f682f37
SHA1ffa59de0399a9fb51fafd434cce63aae846c10b7
SHA256bcacd414e27a84650e71e1c364d4b07ccefec510f433145c6a7928da22a52a61
SHA512ab2f7b3a06f3c26a3332873a9e1ad8dc6bdcecebf6578a7b9331c7bf19379e339618fde773f5c6d4c08049d7294f56130d7e036201f0f6a7b1fb8d0ebf884756
-
Filesize
5.4MB
MD5af42c6e556361c2f4092a514ef41c15d
SHA126f7961c2d8dc62726d46df802f6382f230a7463
SHA2568925f54d07a11143788a3bf35f619fd7a15cb0224000beb52a87e8fcda17db71
SHA512084d7d78b02972182a7659e9b0ac0a0aa97e0837cc7a68097dbbc7a1b20721c807dc96133b1872b7e36d81de7f27ebcbfc8d7f87a83a2a66d2ae47ce7c06a3d9
-
Filesize
2.2MB
MD59dea15d3247c837b46cdfaddec11191d
SHA155e1479b6f8cf375076756c53ae367fde46fa865
SHA25680c1011ccae73a56747d7215604889b901e8cd2e6e160845dcce2c81d7a04d10
SHA5126e7eddc482fe4f73eef984a82af0ff4b7d8e7aa1cb76a014e8587b783e43a6bc1108c3e0a45da2cdcf6e76623b0c6853df3fccd37491454e5a7808d84bbbb4fb
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
40B
MD590b8e3c077c7289cf4b7078243e26f76
SHA1c8e3387c59c20fcff770b846e972a52f7f93591c
SHA256001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1
SHA5124461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
Filesize
1KB
MD553c24efbb52c0f00702bf99523020df7
SHA18ec8a6bc506f24ca97944632a9fed45126eaff62
SHA256c659eff4d5dd051cfab584913f383bd79ec72d79617f37d3f72837696f3e4296
SHA512b61e034b9db22a1adac7de4cb9885d2eb6e8d8fbfcb8b66bde89faae28012574a5dec1981b4bb6da3bd49510f45f89085767133596b22e6af46308a15a29f91d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5eba70743555b9b0940e0f47fb42acd26
SHA1d08a56b4adc02500854bf0d559576abc488a11d1
SHA256383d47615c5c7c5e6fe7ad63d58efb03f50f3f7df55946b7ac615839186c63f9
SHA512e9dddac9ad7eea0862c7f1e726e267e2ebb4b6ed2984c716171c771c6b1fd62a5e150c45ba8a49e9214dc1160f23f386fc352074967448801415c44833a05818
-
Filesize
5KB
MD536b93bec83186b6f8ef0dac07775e408
SHA1af5eafb19fe2b1e5ffd5fb45525e252cb461b579
SHA25624521bbc4fa481f20b0e69a53b89679a86b4dc8752177c104ad738fff0d42af5
SHA512d068b304ef187afaaf728a6f0b0cecfecd1cd8e140228f53ec9ebcc40ae918138707e0d3b853472205278249cf25a222004c52bd13be7f4cf792d7b2ac5f02d9
-
Filesize
2KB
MD52439032641f0c53dcd64320bfa02af0a
SHA1a1820031d22a713be8ff0a020783b7bc72860ae1
SHA25613f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72
SHA512d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1
-
Filesize
16KB
MD557e8199000653809c51632652d84792b
SHA10861cbda51c8fe929db40f70d268a5dcbdf654c8
SHA25666be6e6ee707ff68d5619c784b5d10b133b8de1b4af5d1ef3dafff044e32cd6f
SHA512e96f666077b9243f0f050eb17b4d330fa1a086e4b1f8fe8e0b3e64ef2423d58a699e73d33cd93df34ee7ed19939923dd4fec8d4f7d56f1d551794392a7ddd774
-
Filesize
260KB
MD539ac8f028633d70df0308251152eb78b
SHA14a571b47f75332da65f25a508785270c25d555b9
SHA256a5311fcbd9749fdb4005c6e0f68583677a11828c9a3c0aeed9353484fdc1ba28
SHA51231ee00eace67d4b0d772f25fa5b1e5c80bc551b31d6643d05de45c68a5e3b641e00c45599264b85565f450c7dd2b848b645e56369dcf9bcab3737a13a969f8ff
-
Filesize
7KB
MD505f618710075880783d353b49c7f9933
SHA1c4389c00b98818a2e8d2515eb62d302ec01940f9
SHA2563164df5a92779f2c2aece1a5c8a4db3b537a1a85a6b4682f1800260c7f8e62bc
SHA51219321243a78d6477e50364bc3fb6d7801c4839534232c5b18aa9b1284149c7f47e2019abb6c1afb82bbadd2ea622cd307900a13f82c466e01280dcdb7c639909
-
Filesize
8KB
MD564b98084e4cb8c2298369ae10f88de9e
SHA162ce0b1c255a47cb5be70238a36a2adfb7d5cba1
SHA25633bb1404c2805e5224e3766e14c06f51601a2d3233dc592f82facb96df21e42e
SHA5122f00feda60177eb74fc1bed909083e04ab36455934b9e80ffcf4a7550a9d1a8786533db58c8d0f313da42a6e277ca5469fe58ea50645b37008fe0295d381d99c
-
Filesize
12KB
MD5d352be64328a198d06bd704d964958f6
SHA12ac4f3951e4f421d86475fba5105f2774d599412
SHA256f2c6d441ae60635e2afa97173b907509b6a1d6ff21cdd9df3468b0bcb15f8ef4
SHA5126faf15b86677d912dc186b721678062259e3b3007b3b188836227692fdce77413a1b379b00979414a50c3c9193c6559b417d3c1649a08871b3b348740448050c
-
Filesize
588KB
MD5622b7e4ab8fc7123796f357c6f113e1a
SHA1ccbd802ec479f7649d79d4db60ea743e429aaf0d
SHA256f8de95a4e15caaa9ec0d0d883fe9ed39ae34ca13f22e657510a9166c150b805c
SHA512e7cca68e5e1d2ae04843e41974d35ef8f8db9572e8077a4efb1fac96815c773eb0764ea434c68ffd3bcfafb364a0d29ac18eca55a4029dac5f0e401b00776858
-
Filesize
659KB
MD5c5a7a6733d872f020842d3ca3bd119e6
SHA125f0612581d2ca0381b1492ebc4dc8bdb093558e
SHA256e1a8c93be2d5a0769e346e4be574d65b2e413f3e119b6776f4e26d60ecc45fe4
SHA512fc0798c924961c5b27a3871ec5ea2170e1179ea691d0fb017c61f84e086d0768e8ace5526484cf437a8143a2e16626aebbba00dd74a56fc87c72d13b2bb5da9a
-
Filesize
1.2MB
MD5dcfe9f927a0818721e1eb1b38f9ad9dc
SHA117272ad22ad69d1815afd5054e317135a1264ccf
SHA256ce60e562c2e87af021315d9db4e45b90f77057c20a49bbf2ac662ee97d21b048
SHA512dcd8841947798350dfcbcdd5c22ba705c14d66654cf8a301f2caf021c3d7943c4a3400828d7532c823c19b54321873d8c027ab040e19cc4f128dbc08bd0ea128
-
Filesize
578KB
MD5adb34c914d2df66649d7f2285817d615
SHA1c0f40ecea4c2d81efbd4504493c0f7ec65941144
SHA25660ffb8058daca4b7112ed1ff7cdaf99a4914d5dcf68be43840067b48aff2d84e
SHA5127e00c89d9bc3789d7728a734214573f6df356bac46ecbd86cfbc2c4c49dd40ef82a6020ed65fac7a61e6efb0478f7c2a810b87077e225862c32403ba5dcfd9b6
-
Filesize
671KB
MD5dcfd810b3e077ff7afd54ce96c329731
SHA1e0e95156036efd6dd9955eb86544044d93f396f9
SHA256c482bcfd6a5717fd1c83472eed5ab3b0887b9fd694aca517dcf6a9ea7038198d
SHA5122618bf8e2cea8062a73f66d4619d3448b7ed23167b17fef3f2016756f21ba5466a8cd7403bd7de89248346a7e4ea58726d8e41b2bfade7d677d4060e529eb665
-
Filesize
1.4MB
MD557e3ba8dc6652500011ffe795d3a3c5d
SHA1adfa9e6f45c9b70b577e8a5a00edb0ab18732e1a
SHA2567c5b896a6db5227b0cbf8be62205026e66f629839a897c4d116c326f0a276079
SHA512f86b5a8149a0fee000fb45807e5b2ce5a6fa045d41311d234118542359f00a64c190f9fe208257f0ed3546393efd814b65dae3dac04464c1926b0ea2250eecf1
-
Filesize
1.8MB
MD581316c0bb0fe67914ea1b31c98f50dbc
SHA1c5e1938dbce1702fe01bf7444c969ff8d6e983e2
SHA2567e215b98003f675766e9961d585b0c0ea503a0aa6f36eb6f60cfc6eff65cead3
SHA51232127b955e7146c017751d5addd4af78d7b4bba3b0aca8cb94355890f241bdd73d8e996e7f8dc7709fdafb2ae1c5fb66f14372e1b2a331ff384404d717774993
-
Filesize
1.4MB
MD522e06500057e727cae1511ea1fc68a41
SHA1f964e6ade8ea002fdf1481e366f802c075752d2a
SHA25644bbc99246e7334e1516cd0f408575ca4e07e4b3014cb031f95f801721f477ea
SHA5122c5e5944f5bd42762765f2b34e216cae3e5413394e85d89f6b77ab03893a0129aeee234a1a7ae25e4f93d7c28288de8540af55e0fd6db4754e112fa1641caee0
-
Filesize
661KB
MD567925099fb187ac8273d52499c65fdcf
SHA172b5c710a481d6c28de02f2394255ef894dbe2dc
SHA256140f0925065bb0537defb9d6a545ea7bae3a18ad61121cf768dde4faaad354bf
SHA51286140193e4125cf185b028c6a480065dcf31eb5b6b03180f47ce09e4d7740ce1a9ead7a3e97d8555d4d613140d1937d60b62ee5995fbd3ab71f4b9df7298afd4
-
Filesize
712KB
MD58cf601eda867aee9edc0f300b343f029
SHA12ef3deaad62cc0eab4859fc1139ec4d28b7ff535
SHA2560ac84e0d291a82a50f2661e9a0bcdda9467369facda691eb472a5e72bd21b52d
SHA51248038025170cc5befc52628147819729a8a38ad68858c060233d54975babd3cb12c4779d39c14f6914857e450eb6b4fb429b8c5be8072229452bdf25a6a567f1
-
Filesize
584KB
MD59f1b9218dce24b3f789568d9fa77ee1a
SHA1b11161408d3226a001a4b3abac2dab33de50f466
SHA2568a7aaea0f521fd05b753028c33713761460750e7209d878a2e619f399200d480
SHA5125afb0fd8e54ac1a406dc0e4ef8af2fdf397f1c79ee195136224328f13ec1e4bdfe0825ba7f643d9e21c90948b984ac2b1f763f1c285aba5d8e787e9a0eb4c324
-
Filesize
1.3MB
MD5607333bea3d4feadf8882bdc63054829
SHA1ee644a3b9dbe56818fc18fa3f13bc2971bbccb6a
SHA2569ce06e26148799b83ba29c1f89c85fb4cf74b4b322e925622f090acef03b2920
SHA512ec4e322844bf04359bb05f4176817413af0443344483a6d343fb050a1898c97c1e12a54e83dfee0ed3574d9b0af3590e9c8c942b30d3d6e9986f9045c7b8ae5e
-
Filesize
2.1MB
MD5d6a3db9b77fb198f8a8e63bea1461277
SHA1e47d85089ce652eaab9e7f9ccf24bb51e93ab320
SHA256603773c1d55bd157489f387465340c4a50741d50a0b509360704760434baecc3
SHA512d2e1be8437f0ef4383b6b4aaa54a4196cfab007c0ff16f8a64af95e802696822048743fddb7de1765c266882b3fc6b0af6b71b75fbbd117a9394e769948624f2
-
Filesize
40B
MD50a8c17e97526f751a8aa475e8c8b7983
SHA12cb070d16a547e867aca22af457f13c44c17d0e2
SHA25681519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860
SHA51240a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e