blustealer | 7a62f4e361c2f327d6d3949e1d05ba5a9d36bf88e25a1fe567e037bbc8943a94

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
2424	alg.exe
3288	DiagnosticsHub.StandardCollector.Service.exe
756	fxssvc.exe
4180	elevation_service.exe
3936	elevation_service.exe
2060	maintenanceservice.exe
1652	msdtc.exe
1208	OSE.EXE
1692	PerceptionSimulationService.exe
3216	perfhost.exe
1908	locator.exe
4320	SensorDataService.exe
2452	snmptrap.exe
4776	spectrum.exe
4152	ssh-agent.exe
4984	TieringEngineService.exe
2128	AgentService.exe
752	vds.exe
4324	vssvc.exe
4408	wbengine.exe
2032	WmiApSrv.exe
536	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\locator.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\alg.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7cdda241ea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\vds.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 4752 set thread context of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A100221D-7AEF-402B-B05F-21D404F0BFBF}\chrome_installer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee855bbe777dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099c9dabd777dd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005146bdbe777dd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e03bb5bf777dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c1a51bf777dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a0879bd777dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046243abe777dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeAuditPrivilege	756	fxssvc.exe
Token: SeRestorePrivilege	4984	TieringEngineService.exe
Token: SeManageVolumePrivilege	4984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2128	AgentService.exe
Token: SeBackupPrivilege	4324	vssvc.exe
Token: SeRestorePrivilege	4324	vssvc.exe
Token: SeAuditPrivilege	4324	vssvc.exe
Token: SeBackupPrivilege	4408	wbengine.exe
Token: SeRestorePrivilege	4408	wbengine.exe
Token: SeSecurityPrivilege	4408	wbengine.exe
Token: 33	536	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	536	SearchIndexer.exe
Token: SeDebugPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeDebugPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeDebugPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeDebugPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeDebugPrivilege	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 2188 wrote to memory of 4752	2188	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 4752 wrote to memory of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96
PID 4752 wrote to memory of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96
PID 4752 wrote to memory of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96
PID 4752 wrote to memory of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96
PID 4752 wrote to memory of 4596	4752	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	96
PID 536 wrote to memory of 4848	536	SearchIndexer.exe	118
PID 536 wrote to memory of 4848	536	SearchIndexer.exe	118
PID 536 wrote to memory of 4148	536	SearchIndexer.exe	119
PID 536 wrote to memory of 4148	536	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
"C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
  "C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a078bae31ca61dc0c7443eea0fe89f3e

SHA1
5eda98f1c7683651c7845415536dd5e0a3ef41d4

SHA256
78fc3f5a62a5d1aa588c7405bbd0afbe46872178d635c54a6ef2794c2f09c8ea

SHA512
708040b2754840fafd68c435a7afec8cb9c6aed6c0f5c128028e65b626ef6c6e7bf7b68af046f55158fe98d592e2d9ed7ee4f4e2eaf668fa0ff8d2945dac4c2a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f8976862dfef28e159b175d0c4c0b17d

SHA1
bf3d14f1912841744dbfe7389fc1b823a8c3f0d1

SHA256
cb3d6d1340f2b54c412cc14168b2988120ef69d27c750dab6cb639e12ec6b483

SHA512
132577fe3e7f436a0db8072cf5f0f6be93eb85c967a880d2abbc1e25318b3ea3ef3602d6722c97ab1eaa748cd9dd0e82e598013e8b01aa727ef85cf5b21115f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b9efa166ea09166562511494b13ee91f

SHA1
0ff8d08f5e78c9f9d39a2ac6d8a1cd880735ed78

SHA256
ef9a217fe11f62c83e7a42bb23f967a20ddb63c0ad671b47b4791c1f5aac2668

SHA512
c4f09b0239af142d8e36faefe4ff206576a611b59241e519252b527cf926c472306ec1c5ee522a984991a7a51c26c0cc11c2f3656427f8d223633de19e91aab8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
979a436881a2b7d516d6856aa66dbe0d

SHA1
fa149f840ef1121cb7b86731e84b8b8693806a3e

SHA256
dce2f2a6dc8a0b488f4a6ed7dde3a70483c03499d06d2c936e5c597ef70e6022

SHA512
0bbe4cbc058bf4fc566ceb0c16c4cbf351601da910b20ab116ed34d3ff3a93952d220ffee122cfcadba32c6f178b137105ce27dd3b02dd8b8aca8782e1ff63d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5220f135ed58af95c64a7fcccb03d007

SHA1
f7bbfcf3acf0edab1dd76ac0b8e89438b3792cb6

SHA256
fe9b06ac990c7997a72de2d278df374b138898afe5ccc60ca375627f2800fe56

SHA512
94c4f151d7c31c2dd4a768c814c965c3ece688d4f03e252ee0fe1a3b0da5df1368e5cf8a19e5bb827f19786513013c55750f032ec3937e5a97f49da97b8e07a5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
05ded75dc1d589acef01e7df6eb87e00

SHA1
e02f857de09cec5682f9608144aab5f11a450789

SHA256
e481d021ae59b9a5328cde5e0d251b8a9c34a81f88c444feafd1bc8b48f78898

SHA512
5ab7907b161de5ecde90bb4d878f48e02cff5ee33102fa91d5b5b5036edfa1ba2836ca8d778c1f8bb7b412ccad90f3dc973d65c0705aefcd36e810b423ae2324

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ddaaafb52ca44464a94ded10b988ea41

SHA1
767dad49922a110ead7e51ee3aa37d07d4df387a

SHA256
147e41abc7cb9adf37f52474f22e18bf33341940549b74c904a0d59d744b7211

SHA512
07eb452ea4767b27953b6dcd0781db6f0db0a5fafda70bde45743a103201846fbc5d344cf28c424a7c71115d0efb91392aa3386b4009e7197bef6c7157de255b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0dd5fef580590753633e480b543dd5fe

SHA1
5abf1db6075ba5c53ca668f312abd5ab704398c9

SHA256
6cf85c12b5ce3d13ce2defe0b33f78404e5a3e561c0a77c82414d270e1134166

SHA512
2aee4fea15a50f642edf906b5d4c71e70cfaeff3b811d54f827c24caa90b5ea945a482f8a7d71571c2557816e85047655943259c8c3dc7479525db96787c925c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b90ee492e940326b3f9e27f38e4ce42c

SHA1
f2423ef284482f5d1b14863ebe8873f0429493ae

SHA256
e4735c90af6f579caf746c25176c09abd8593f0beb0c3de25555e39fc1f26a9a

SHA512
47e9e0a4c880cf1fb9964cba089088df230a6a7a0c3006978d4672a20b2de77b667dd0aedc5362aa1197434274fc91e9e31f45c8a6769449fb05c1c957a4af41

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5c20864446331d36a31371416f9e763c

SHA1
9c86a9540f309803a2671b175887a7208c9c2fa5

SHA256
a7704fc71a8833fc2df3d083cd8068aa655a49a494dda6e3525c0da5b5353a3d

SHA512
a56c5f15d12dd7036c3ac0cbbf6bae9bf3b37e3c157efdc1f41f9beace716605ce014be66e85f99a68f49b562363e3f074d7303e789724f008a078776820d9dc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5c20864446331d36a31371416f9e763c

SHA1
9c86a9540f309803a2671b175887a7208c9c2fa5

SHA256
a7704fc71a8833fc2df3d083cd8068aa655a49a494dda6e3525c0da5b5353a3d

SHA512
a56c5f15d12dd7036c3ac0cbbf6bae9bf3b37e3c157efdc1f41f9beace716605ce014be66e85f99a68f49b562363e3f074d7303e789724f008a078776820d9dc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
caddd259852226052009a136d56edfaf

SHA1
d150b40f510917d22580876bb6345627745b7184

SHA256
e6eb9ad10bcd2a5604437f04c57ee617e3ee6b72d1d0469d53b9a95fb7a2063b

SHA512
bbd13e7545fbabdaf584b6d28c342be1b82b8165e18b8161c510e0268527995ba8afa0f6df692b3b85c4957910fb93c4a392c8ee670adeafbb69ccc91557d453

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d390c2df7276cd2f5ea1c2b876dd59f6

SHA1
e9bd3939a082487d96d70e6ebfe25d2a00976042

SHA256
f19c77de8ca0c39f7b2122c56273aa1ee5854ae3ae8419c25206bbfeca8ea7ae

SHA512
1ecd3b2c486bc5f84e675b10b120090f3d604cfe88e9f2b94d5bb78d6f885d9deccc936d41b884751d94324b01b706e9f89026e9cd2d61f2ed641f6fcbd21a94

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
17ba156107fb75e6c1c3c9570e7f570e

SHA1
35c2ee5f60e111257e340dc1e1f15ee73c609863

SHA256
08b832beadf3971210614c79a28b12ebeb0858e2ef3833862907ce6f7d0449f2

SHA512
fc5dc7405c816e9ffe51786a7b40fbbdc71cfacc1384b5cf37efd8fbfd6038c3d7cb61f287e9274a3dca6e6fbf06004b8bd97bc06ad2b238970612aef23c5816

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
56db163d7c4ff3e14f287b6b1bb6ae83

SHA1
30e5bbb85586c4baaf9e275f7a7877b295fced5e

SHA256
a7a2fc32f6a7a13c183dbc5091af0a7bf6d7737c197007c1c72732dd1223b6f0

SHA512
5bbad30a7278abcfeb4b7509f2f2cb1ccd4de649fc142828d3b3b68581327b17df2a7468bac71d1348ac1f9e09da0dc1afc53223357744c418359ecdbfaed489

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b354556c29dcab25493055ca38e84967

SHA1
2048833206e0b6301c9f298b903efa5b6226edd8

SHA256
57b5da7afd30791aa94490b0c79641b5a52e36af06aed9822bfabaeeb9299aed

SHA512
1bdce770257b142f9de8285304bf64dd7a5f42cb57e39a7fcce6295b54f648ad166344468fba29e70e1d6ff48ee46986ab7f06e26091fdda4a6ca0bf0ccac149

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79f56556c8961a9134b410f9fe00f232

SHA1
9028aec959f158e6b88f2ead4a4264a8a79c5237

SHA256
003537e4709c54293d71ddc48908f3d4a0cc61a6f7496486d5c04dc97ec98972

SHA512
48e2ef4cc8f8a0fd4fdd624cbc03b11895fa3ee09123ee96298018eab97db0944df1ec86a8a167a36606d232045da0f24e1b998d08f4dc6da2c2806680e753f3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3831316a7407d7f3be9046cb52715f56

SHA1
a661209d218018090ffd0a3cfb3cf291a5c1289b

SHA256
3eb1eaf4a2feb455a5543e0a3822a352a8832a9d2266d71e9dfc52806de41446

SHA512
24e3d9d884881f22efe9a193e06a106fe02c38a1a10a6e1bcae554bf1b14cbefd68429159996ef0911843bc1d640fd8286296a960118b1c73c2ce97dd942c4e4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
05cbfe7d39f9f1d7f2ba3556991b28ed

SHA1
68e03b0629940fe7f59a632285d14fdc8784b202

SHA256
8a7c15dee95d64d0d28a031e1414864ba4ab2c40c7b2ab8a411fb5b8dc1222b2

SHA512
3d3006b5577d1edb594c1e9546124036bf1c6e37e308975770997d44e874811bf8ad33c5f33ecd67d427eaea97b67dab4effbee6e5bf78d8490896c37e4dd716

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
760ba3e8a0223f029b7c169354c37ffc

SHA1
98984de4659acc40ad917d9c24d2a62a4fe3e932

SHA256
80f4a0b3dd49fba85076fb5282f32e62f5d7cbc9f37786ac79e0d2ce4fee99c8

SHA512
23d3d0cfe2f5607fe162c5721fbc52246d4b848e683ef60501d0cf9cb6f25a8beb0a45339fad7e5892b5901e7e68990a9ec2efe188da3e17151153cc12136d8c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
af44d1a8881edd1f9046dc7666d76974

SHA1
42a17b3c35a635f9eb3b945f94edfdbecb64d900

SHA256
6f2d2b3183888aea25bb621a43ec877ce9eed725bc4633cc429dc6cbfb4b7e16

SHA512
1ab1555882549f9b750de21e3e15f649239ccb7a6a756b281ed196512a45c5163e3644c727bf2e916084cbd13fdfa5f869ad8622e077dd6c62d465ac8047b8ff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e49282195310ee4b6407302763d5cb50

SHA1
db157609150927698a6108d3c6ff572f9b186a33

SHA256
c2daa246329e619813d08d9f2701f0ea55b7b2510077f9d79c6a0f4c3d5db059

SHA512
d9bdbebee6f542729feab92258d6804e850458064ce71e0191ebb00f15de7554abea537253ec5b4f2548615890a9de95411286ebf3ac64b13adcf4a6e5397444

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bda71bcbde70f7bb28ca41c4bcad9d5c

SHA1
4b4a7dc057be0859b09b14720ef56de84224c9e6

SHA256
2c20c1fe942a0b88779c4ca64679c1de5049823b944581330f1f14709122d9ae

SHA512
d83c7552078e63a543211140c5fabc0450fd8e8c22967a20251011183b380a719b9da6a84365f176ef9ec3828b889a18a0b775318c05790812778ad8816358ed

Download Submit
memory/536-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/536-433-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/752-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/756-194-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/756-197-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/756-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/756-189-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/756-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1208-270-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1652-514-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1652-240-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1652-234-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1692-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1908-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2032-593-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2032-431-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2060-226-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2060-229-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2060-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2060-220-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2128-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2188-133-0x00000000006A0000-0x0000000000840000-memory.dmp

Filesize
1.6MB

Download
memory/2188-137-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2188-138-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2188-135-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/2188-136-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/2188-139-0x0000000007650000-0x00000000076EC000-memory.dmp

Filesize
624KB

Download
memory/2188-134-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/2424-157-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2424-171-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2424-163-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/2452-326-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3216-541-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3216-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3288-173-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3288-169-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3288-177-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3288-427-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3936-512-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3936-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3936-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-649-0x00000265CC6B0000-0x00000265CC6C0000-memory.dmp

Filesize
64KB

Download
memory/4148-728-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-738-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-737-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-734-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-733-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-732-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-731-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-730-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-729-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-655-0x00000265CC6D0000-0x00000265CC6E0000-memory.dmp

Filesize
64KB

Download
memory/4148-654-0x00000265CC6D0000-0x00000265CC6E0000-memory.dmp

Filesize
64KB

Download
memory/4148-727-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-726-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-725-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-724-0x00000265CC910000-0x00000265CC920000-memory.dmp

Filesize
64KB

Download
memory/4148-674-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-673-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4148-672-0x00000265CC890000-0x00000265CC8A0000-memory.dmp

Filesize
64KB

Download
memory/4152-590-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4152-330-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4180-202-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/4180-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4180-511-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4180-192-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/4320-538-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-591-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4408-394-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4408-592-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4596-199-0x0000000000160000-0x00000000001C6000-memory.dmp

Filesize
408KB

Download
memory/4596-214-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4752-150-0x0000000002E20000-0x0000000002E86000-memory.dmp

Filesize
408KB

Download
memory/4752-145-0x0000000002E20000-0x0000000002E86000-memory.dmp

Filesize
408KB

Download
memory/4752-392-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4752-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4752-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4752-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4776-589-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4776-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4984-348-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download