blustealer | 52d4c9785ef46a412ea225c41757168d828d77058976963a9232ffa6bf0d9425

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Size

1.6MB
MD5

170860057f4aad06ddbeea0ca2b3f1b6
SHA1

db04c735b769df458518f959ae7eca39cfa06213
SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
SHA512

f8bf57126bad026be2414121c798d5688119f06312404c35dea3f457deb717f6422291f5401178586fd23055577f893b4e6236e413c909e3b526c45d3b957766
SSDEEP

24576:uU7taDBzgNEfeEvFTMxdzYPh1ogay/zj1weNgcHFx5MpfTjU/c7jNXPohE:uU7PNBmMxdEvogdzxzHFx+pfTgE7VPI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
816	alg.exe
4376	DiagnosticsHub.StandardCollector.Service.exe
1400	fxssvc.exe
1600	elevation_service.exe
3944	elevation_service.exe
1512	maintenanceservice.exe
4648	msdtc.exe
2304	OSE.EXE
1272	PerceptionSimulationService.exe
1692	perfhost.exe
5096	locator.exe
5052	SensorDataService.exe
4268	snmptrap.exe
3364	spectrum.exe
4900	ssh-agent.exe
1724	TieringEngineService.exe
780	AgentService.exe
776	vds.exe
1224	vssvc.exe
1556	wbengine.exe
2404	WmiApSrv.exe
4340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ac1e2057c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\alg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\locator.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3104 set thread context of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 4380 set thread context of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{12B41477-B896-4CE0-B721-49B4FD6AD28D}\chrome_installer.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002bce79ab97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e375e9cb97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da8019eb97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cef8a675b97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053a3129bb97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2190c9db97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4ff8298b97bd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b558b9cb97bd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeTakeOwnershipPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeAuditPrivilege	1400	fxssvc.exe
Token: SeRestorePrivilege	1724	TieringEngineService.exe
Token: SeManageVolumePrivilege	1724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	780	AgentService.exe
Token: SeBackupPrivilege	1224	vssvc.exe
Token: SeRestorePrivilege	1224	vssvc.exe
Token: SeAuditPrivilege	1224	vssvc.exe
Token: SeBackupPrivilege	1556	wbengine.exe
Token: SeRestorePrivilege	1556	wbengine.exe
Token: SeSecurityPrivilege	1556	wbengine.exe
Token: 33	4340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeDebugPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
Token: SeDebugPrivilege	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4572	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	85
PID 3104 wrote to memory of 4572	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	85
PID 3104 wrote to memory of 4572	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	85
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 3104 wrote to memory of 4380	3104	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	86
PID 4380 wrote to memory of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113
PID 4380 wrote to memory of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113
PID 4380 wrote to memory of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113
PID 4380 wrote to memory of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113
PID 4380 wrote to memory of 2440	4380	e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe	113
PID 4340 wrote to memory of 2344	4340	SearchIndexer.exe	114
PID 4340 wrote to memory of 2344	4340	SearchIndexer.exe	114
PID 4340 wrote to memory of 1284	4340	SearchIndexer.exe	115
PID 4340 wrote to memory of 1284	4340	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
"C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe
  "C:\Users\Admin\AppData\Local\Temp\e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2200

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2344
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f3bb6bef80c04f2712e398512cf60d78

SHA1
8f145920bfe9c3dc6a4d3d76e9f501ee3777ab54

SHA256
001dc896d0731b019fd937f2c3aca9fb179ec1480906d0781dec4e4a18104619

SHA512
585492a7f25a4fdbe3edadd0d3269c0beb634677697518765383471c5710e5fcff8aa7301883976f2961abdd80698b9078549eb4e470dfc88a80a2f434372feb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bf84491ae294df0bf48a27a701799dfa

SHA1
11ca019823c40034a219d92b88d03bd8e0f6074c

SHA256
9244b213bea74533a08146a344c8aa87ee33586d0ae2dec633e9263ad3474bff

SHA512
c628e0f0733d451bdd0a40cc4043f2143ded877e5bc0d8132cdf69e82552062597f701b08bb588cfaa00814e23460ea7c2a8445c9aca8b5b4835a7fa1dc0f75f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
3a3e310fa636290fd68f3577330ef4de

SHA1
d63cc8a7e8c1cde1ebd0e99152bdd135c907f592

SHA256
64865128caf10c9b65dc167afde928630af11340f1c4f105a320bbe4805e747f

SHA512
571bee3104d213fc35e67397995ee313504dc8b7d1546bd9fba650a6eb061cd7c0213e605c04b29648edb9b4abb81cd723e908572472924dfcbb65fad05518a2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a8956f7a864cdd5859bfdb74a7543ba2

SHA1
f958ab932bd8f2da73cb2a86312f7f83b4dfb18c

SHA256
732030c94b54dcfc198b033a0eea3ccae67abed66c5a31826fe62c6c8f14fae5

SHA512
12577d5794d861599eb4100aa8fb821ce5dc99c63481d44fa545f82c0a95a5e5faa1fcef88096ca0ad046ca64fbb6fe27e4770498c2ac9f71314f94ef2368191

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
13d63607f9043135b2232b792d35e823

SHA1
bc436e29df483b3f3fecf32a1d74d865e6103322

SHA256
301859dbb1bddcb8535bea596cce319dbde774d044f9ab7e0818a831f7e752b0

SHA512
c01eddcfc314b42876553240c3e5826268a180f1a046d86fdd7adca9119e9a8986c55afe5f81ab5d5143148198964320bed2a1f8c4428c2d6ba1c96c666d2778

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
850ddefc9e528252d978c8f3f539b2ee

SHA1
657112dd83312c087c12184326ea848c2f18853c

SHA256
5a179adc30a1928f7780339f07e100031ff8876322fe664f5252e55a18f1de51

SHA512
63dde54c5c7b24ab8f9ccd04cf3f43bd945e66137bfe084297d1a0dc51bccb24fad61ad61158f3d37f6fce1d0e5f2fc50f95ddb329dc50a0feceb6a2ad18c915

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c645ba84328c91191dc4899fa91c1884

SHA1
4e6df1b5b636d26aeb6e3b5cc0cb167f2182ce04

SHA256
c5cde7f38b21c4e86e94047b2836c661d5444804c06153c653cd570baa89bd24

SHA512
4af3c5e5d4d00a0ccb32d8b812c9b23d0d79688675741d0bb704e9e5f423c4f587d232e1debdec69ff4172cc70dc8f27eaa07ceea418dbd520594c2b8f0a8e93

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5f50338dd547e2458aa3443907812cb5

SHA1
42a5038f2057d1b0c9d425d5f26fe092bbbce5c8

SHA256
cc17cb24b23b989ed298ef2ceee8cadbad03441fc5eebc4b0170bb271afeec3b

SHA512
b79b491d4f40fd15998bb560a53a7216e2acbf03746b08f17d2e4bc436730a00958b2e57a497b83da82e91231c5fa2a62501306db9eafa08ce123258559fb5c2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6cd32d2e79814709eb53c62a08885fff

SHA1
31d6d24271dfc08c4010d4d1614673e4a67b8653

SHA256
9be683730c7f151fe2d05f7d524f122265b52832c3ac644338b787129cc5ea5a

SHA512
51ab5cfa810a62dd74642f7d4c3abaa4f5e302e883b2c90d4d368d810e6561683498bc2f201a6728c431cd0f2414219ced4ea5de97adc55209b40145db54799f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e7f0e1be7e2bc06b8403023612e22082

SHA1
8983eb3d02953eb62cece3f7ab711b0fb2b2ed24

SHA256
88a9c027512d65767f669070a15b9ebe45b43a5389aa0230b0f448d9f7017726

SHA512
05d5568723625354d4588eaf3b2b1503f95cec335b558c22799a4922504a629da0dce439cb2e05ab79964e0eb98776b53e4c53a864867c2440b7b7fd14f829f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e7f0e1be7e2bc06b8403023612e22082

SHA1
8983eb3d02953eb62cece3f7ab711b0fb2b2ed24

SHA256
88a9c027512d65767f669070a15b9ebe45b43a5389aa0230b0f448d9f7017726

SHA512
05d5568723625354d4588eaf3b2b1503f95cec335b558c22799a4922504a629da0dce439cb2e05ab79964e0eb98776b53e4c53a864867c2440b7b7fd14f829f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
95f111ae623631e73236ca50e009c1a5

SHA1
a8839a336b6936fecd540f27beba1b753ce3e010

SHA256
f65c249cee96779b3c4aacc435f3275f7ca2472b78ba89e5928d3ef3be9f1031

SHA512
d4440d7436d3d8dfa374088fad45060aee7206920966eda19c59fc757ecd357034d220ff543380a2c525fa870406020926df5350ba5574b9e6e59e1af1ce0c11

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e6b122304d3d425a163dcee00aace373

SHA1
7be1bdd02f77e71bed863f82a48936e452329920

SHA256
dffb7fc7e7a98254c3aefe91cee7d3e4c062497d853f36e69dec0b5938bea2cb

SHA512
7091360f4ec697d8c1ba043bac51d9ee2a181026e80d2fcd316242764cd974398cba50a1de9472db4db6d8625ef9a99a8a7ea65fca2db0bf7958342407fa7a0a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fb071f3a934c95665273d37cad3949a3

SHA1
251f6bce8744acfb675250540b6da7af2230b1ab

SHA256
83e4553207a54857a22a5540f0d0c185b4c701735483c41daaf8dad322159bf3

SHA512
d21546564a2defeae9c43e8a1964a07c66f52e63dd38c6c718861cbb902a8a68474f3456aa192bea41e3d2ab411cf572bab1b8759fb6a3c3f3813ed8841cdac3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
05b02d8ba83d0cc0129d5c8771a66901

SHA1
d361f794419b4df5ae5fb1aad0e6d60f665e7576

SHA256
a919e2d28c7d609959a476737f106ebebc860feef43c442caa4f5348d96a6d6c

SHA512
e78ad294f364663a0927c5bc5ebac37388d2813192e5ca7c845a3012150f96f694518e37955adae03578b57e814c3265c03a065da9b8b816c1498922b6f3630a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6e9a2c6c8453b6c9851f810223baacfd

SHA1
2001ab98e0a28025783dd882a1a56e92c71bb663

SHA256
b42e8585f520a2a2cca48f85aba1bb67ee4ac699b77b1761420105a8a189c997

SHA512
b489762198b8ac22be747745c28cf7c678a401b781f54cc90d4b0de1e04c0ef0d7b7f647fd9100a6ca0d66b3b2a6586d108c168dbb232beb2156cc5df00e4ea5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8aa90865a0332be88ea6973c10cbbbee

SHA1
82af051f712b88294b60ce9d30c7ebee07f71b49

SHA256
79d363f4624ee9617dda55655fd5f7b825302114a5e9aede0ae2389c83777929

SHA512
c55d183616352f2a3e11abe84953ed5af57d2c66df6196e5ba4f210374ce734728a097182ffe5b6122ea8886ee6c36540a7fe512a0c2a9a5a82ef4d5e53aa333

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fa00dc6fb032a844f3b10227b88d864f

SHA1
ce5ca0663f8d8e01c186428091a5fd73c524a8e6

SHA256
9fcd871113624fa4f3e18759c4ba2c8cf6235b93a13b02703982cfe91490b18e

SHA512
0ff330491fc795a8f6af50eb1943252c943f2012574f78a7097ec8003c6185fe83ce6ace5200573cfaba2664e02a69c2ef6e4efdd10f57c52ecb6a8565488e84

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7c99149d1d0e1e62030924f660435fc6

SHA1
0fae2d89f342fa42a96d7d1b04515baf54851019

SHA256
d1556bc97b9be895ced1e3e5dc1132f4daffc0f7cd00f6339f3660a6ba70cf1a

SHA512
6439053c79d3406c6927df9e1b0b4d823bdbc9e6cc2b335998a9832de68602e95c4ae326ad5016211a563c83fee22818f97f4a0d89acbc54ddadd2d1ac876f48

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
07cecd56866294bdc6e04a161ec05aa3

SHA1
5965af729505e7184b8ad46787db58ef3543eaa9

SHA256
c8e18b22ff4d76a0ce48454a5f98397ce88ebe812f552a63aa852de72e00a0f0

SHA512
87f3f9ed6ab2c8e42384fe58179a8e12997f6b1b0fb3a33876ea869fdf03dbdd4d20e36af8a4ac7daccd5eefa1cb2ec5e67eaaf8bfd29e73a3f0d71bbeb3d241

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
21ca4ac86c7e4965ca66f1701a2d7d0a

SHA1
6cbfe1e3b84a295cb289621742d03e9567622164

SHA256
f87e4bf510aa34e32e88a84f3e1d1c2d3c70cb67b4ddf0c0ab2c46b9d43e9416

SHA512
f82e371af3445ab30f59c3d33e84b47e556d5118dba84d2bea12c890b9a15554c091b09fc3c79d2b80c770935f0f12f846809826da73ac557530d3b44c29a634

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
86e64896661f6379a1db1cee50abd706

SHA1
2c62783de54b5a9beff4dd059b68adc09bf64b4a

SHA256
acc3e26b20dd1903b90e5d3133116b3a8089c6303761cc3ea3756b7970fe1f9d

SHA512
07e73f8ea13abb8461f8a767b17d39056478100b2e14befd4c8a46143c5db302324991e302073f9e7496d3ebb938c1326e80e02ca77eeefa5fa371256e20f1c3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
70c6176f2074a15e2876026141d9c62e

SHA1
d2a247870e822e3a964dc0d1974ef2eee4ba2fa4

SHA256
be4670596082f2844a9ee1fe093400118824a40a4a359ec2f6cdfe67e47906ec

SHA512
d3484e9ef07a3dafe009409b9cbb8c446fc5b48253a003fdaefdfe2308de326e6e8877b00e61e2fb6788f3b3ff57e2cde87186ffd10b8c5bbb91f35db2c8bd5c

Download Submit
memory/776-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/780-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/816-164-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/816-160-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/816-156-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/816-335-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1224-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1224-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1272-465-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1272-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1284-690-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-711-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-717-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-718-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-720-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-719-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-670-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-668-0x0000021B02570000-0x0000021B02580000-memory.dmp

Filesize
64KB

Download
memory/1284-669-0x0000021B02580000-0x0000021B02590000-memory.dmp

Filesize
64KB

Download
memory/1284-671-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-672-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1284-716-0x0000021B02580000-0x0000021B02590000-memory.dmp

Filesize
64KB

Download
memory/1284-713-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-712-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-710-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-693-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-692-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-691-0x0000021B03E50000-0x0000021B03E71000-memory.dmp

Filesize
132KB

Download
memory/1284-673-0x0000021B02590000-0x0000021B025AA000-memory.dmp

Filesize
104KB

Download
memory/1400-187-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1400-181-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1400-190-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/1400-376-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1400-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-216-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1512-222-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1512-224-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1512-227-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1512-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1556-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1600-194-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1600-378-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1600-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1600-201-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1692-286-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1724-357-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2304-264-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2404-402-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2404-612-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2440-463-0x0000000001230000-0x0000000001296000-memory.dmp

Filesize
408KB

Download
memory/2440-469-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3104-134-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/3104-133-0x0000000000DC0000-0x0000000000F56000-memory.dmp

Filesize
1.6MB

Download
memory/3104-135-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/3104-136-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/3104-137-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/3104-138-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/3104-139-0x0000000007A40000-0x0000000007ADC000-memory.dmp

Filesize
624KB

Download
memory/3364-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3364-580-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3944-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3944-398-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3944-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3944-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4268-548-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4268-307-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4340-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4340-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4376-176-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4376-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4376-170-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4380-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4380-149-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/4380-144-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/4380-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4380-162-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4648-231-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4648-239-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4900-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5052-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5052-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5096-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download