blustealer | ba90f21e249436110f895833ddbb4f0da58497250cbc56f1dc60fec823e64a08

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Size

1.4MB
MD5

34aa0ca40863c30653a0b6ba10d3daa2
SHA1

c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
SHA256

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
SHA512

34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
SSDEEP

24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
488	alg.exe
3412	DiagnosticsHub.StandardCollector.Service.exe
1064	fxssvc.exe
1484	elevation_service.exe
2672	elevation_service.exe
4064	maintenanceservice.exe
4000	msdtc.exe
4388	OSE.EXE
4236	PerceptionSimulationService.exe
824	perfhost.exe
4504	locator.exe
960	SensorDataService.exe
2352	snmptrap.exe
1440	spectrum.exe
3808	ssh-agent.exe
1684	TieringEngineService.exe
4608	AgentService.exe
4928	vds.exe
3944	vssvc.exe
1264	wbengine.exe
4744	WmiApSrv.exe
3280	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c83e30bc0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\vds.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\alg.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\locator.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 4588 set thread context of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb0596257f7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ade43d4d7f7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aab3694c7f7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc29414c7f7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014916d4d7f7fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e530a4c7f7fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065021b4c7f7fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008edc324c7f7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeTakeOwnershipPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeAuditPrivilege	1064	fxssvc.exe
Token: SeRestorePrivilege	1684	TieringEngineService.exe
Token: SeManageVolumePrivilege	1684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	3944	vssvc.exe
Token: SeRestorePrivilege	3944	vssvc.exe
Token: SeAuditPrivilege	3944	vssvc.exe
Token: SeBackupPrivilege	1264	wbengine.exe
Token: SeRestorePrivilege	1264	wbengine.exe
Token: SeSecurityPrivilege	1264	wbengine.exe
Token: 33	3280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeDebugPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
Token: SeDebugPrivilege	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 3308	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	91
PID 1684 wrote to memory of 3308	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	91
PID 1684 wrote to memory of 3308	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	91
PID 1684 wrote to memory of 4452	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	92
PID 1684 wrote to memory of 4452	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	92
PID 1684 wrote to memory of 4452	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	92
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 1684 wrote to memory of 4588	1684	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	93
PID 4588 wrote to memory of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120
PID 4588 wrote to memory of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120
PID 4588 wrote to memory of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120
PID 4588 wrote to memory of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120
PID 4588 wrote to memory of 1844	4588	427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe	120
PID 3280 wrote to memory of 4040	3280	SearchIndexer.exe	121
PID 3280 wrote to memory of 4040	3280	SearchIndexer.exe	121
PID 3280 wrote to memory of 3988	3280	SearchIndexer.exe	122
PID 3280 wrote to memory of 3988	3280	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
"C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
  "C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
  2⤵
  PID:3308
- C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
  "C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
  2⤵
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe
  "C:\Users\Admin\AppData\Local\Temp\427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:488

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4040
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
27faf58ef71742b1e8bacae8148008a3

SHA1
23308c83da93c6daa4b395c215a1e2c1c82ac903

SHA256
a7e66ae4865624e8c74726f17403ffae48054f56729903e216147047805d07bf

SHA512
aa9225228303b55bfedd8d59d49cd1ac804db633d82870b86348a3f188f05c694f627f87d3010931c2eaf25e5cf5f359a391c6877dadfcdb8edd70cc2f370191

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cf499e45b07d1142b3ffe9cc695c0194

SHA1
56e704514fe7c62e081c86d25ced83484241484b

SHA256
49b7262458961283b1a5f834203ea78c88bd16ecae8519c51e9736033d53a0e1

SHA512
5273daefdae93d580d4de8012ab5f3b61b8286c8f1f5c3a635d20aac32e3f5624e23ddb697a777d210748e6ff1e8b66cf51758637b8736374a824342eb9cffce

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
45dd9126faade7c85aecfd387c2a4438

SHA1
4746a18da678294a820ce7c59c49bf722185efd8

SHA256
32b849e3ab8b4792af4a3d33dc653190b7c8435827b7eb2f732ebb1bc91d0400

SHA512
cd488d22d0d66c8eb22e68bc06909596bacb20ff233729d4cd6098e2969e30323d21c09a6c073ed250dff624bc1dc5ae24ba735d9cb695dea0b5fbd2a8c7ba3e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
54493886d8871bc88b02325d8edf65c5

SHA1
299227fcc0d486c7c29aa4a9b51f3f598cf601dc

SHA256
fb7ac08d53b89f1175675a8b787370065acb407624bcef6afbf25d334cfa5b70

SHA512
d06f7deb3f81d1e47c385d76135161a609e44e4cf09736b19f4b89d0db1ed34b77c61105f23a682e680a6550092501904cb55db97ca68a75b2bdb1a7f8b1988b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bd3d638ecae9606d746fcfe5fbc1db09

SHA1
9a29f6da68c8386f536f554b0a831a86c7773698

SHA256
bf1fa52210dd2af33b8298170757bcca3ac544f1eb19a31b18d48044d0d76cb2

SHA512
def6ed146c958883e0dc925df5601b89fd17fdc073040b552a2d1e6ccba2d8d47e05e78de8f8d2559fc341be3a56a7d30801d4d858aa391d1f9e3d1349a53cfe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0dbc0729ea8b9210a2408d4e6dc0efcd

SHA1
f1b2992635767b7b8c514a3d89c8cc4387c4a6b3

SHA256
645819f95f6d5d0d474fb3af7deb0c9c939530007ca4e65b696993fe64054ec6

SHA512
13fa737b4c3b28efcdda1f66c1a75d6141bcd687018b7775c81ba7e02f3168e1f5c5f0468b12fedb432b9fca12de2b1006df9e3d4793ad08f26b7cb471caced6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2611afe7d4bd496ce6b1680d973668e0

SHA1
0488878d7ed95554a139b7c897ddc2227906ce6b

SHA256
e414b1878253e4bcf9d0150c75fc1042ac14bb558622c3e2befab4c23bbde9fd

SHA512
14c5850e209bfd20c4a686a20592c61776757b16d2bdea9551ab2b17f67e25db80d42bd5d0112c5cee966698ab602a803d848ec4ce2655f9b380e855c9299ce8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cdd2deacbf869d0b8c813f9f3afac8db

SHA1
a279ba8382985d4fb8f73a94f499e9a33f87e55e

SHA256
305f593efe16fee8317a2314cbb4607ce080152897d7af3bfba33ef636d9a97c

SHA512
c1ae459d730a59d995d5ec2b67128a23972a4d7698635cf58b397363c646ab0d8ee8d4fd0484f1b09b3efb8e2b8cdb577d4fc356825020a40724ab02c791876e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1127f5c1185ba61a37f3c187a12dc277

SHA1
5c50c3ad7bed94dcaff13675dee7f11d84c1f2d9

SHA256
371bfb78197f74716d83d62fc27533fdb1dc99ef8b9b38d72c19bdfff9217baf

SHA512
fbc5de00406dd1c13d41d5b7b15ddc0745c8c319983a8af6a23d17fa9234d5d70f11b65db0ae3a19972b64b6b09b03b65bd309f7438fd6d01b9d5e7144cd3286

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
fbd64535ee7cada2c5dcb3ff4a237d93

SHA1
69f217d966269466f6666ca4a97250e78bd32e0f

SHA256
b4526ca80a3ea6bc4885c3ebe5f8189326232a3571eb3358e96ae60231aedc46

SHA512
446c4c7478eec00eaa4a0d31141d5932d6cf225fdcac6c0ad613e366ce0b0d2be9f9496dec3e6854f4b3b4714eb67c05ade5d16194456eb2f42d8b59a4822d8c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
fbd64535ee7cada2c5dcb3ff4a237d93

SHA1
69f217d966269466f6666ca4a97250e78bd32e0f

SHA256
b4526ca80a3ea6bc4885c3ebe5f8189326232a3571eb3358e96ae60231aedc46

SHA512
446c4c7478eec00eaa4a0d31141d5932d6cf225fdcac6c0ad613e366ce0b0d2be9f9496dec3e6854f4b3b4714eb67c05ade5d16194456eb2f42d8b59a4822d8c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6491912a8787bb0ad2e1af426457d6eb

SHA1
00e844f40dab80ed25a95792acb63dfbe65b9298

SHA256
074d2ebd1a784da5691759913aceb7d8c3eed71b5c524e6cc0733dbea8eea0a6

SHA512
0c07cda3ed7262ac04855122b5cd808be9d8d64230e27702155c45d2fbf2a9635a349add6d5362720b134d989f3472941e7e92a44732c0ddd1b36880f32998fe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f9eea313d689bbae765830b0ef1df481

SHA1
f15fbf3c5af06f6343d037e47ac23b355543b588

SHA256
3cb6aa919091e62c3016e6cf370aef7c1375aa84eaa1d968a62474741128ca90

SHA512
84e65f978911d12dc2ef1b079a40866d8b8bd0a1ed46f2cea4aa543661e8452a19bc15af0f9616c5e5edb46e59a5416608e3099af55890c319b2a69dd7d8f4c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a2967c16b19781c1fc8dd6df8d1256a5

SHA1
e0d4fda1feb22958f1f257f5f5cad421bc503310

SHA256
5fbc9ae91ed4336eade0290a6ea4ec6ee187b3385639a79f51bcf1695878248d

SHA512
5dac8d328d87062f0ae70b3f4bce261db1ec721114a90eb61df7a0b6dfc77598c2cec7ec5f811c07f068cc126ed76cbd8cdb161a9f560dbf4d7581e28a449e3b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
92895b40b1f70a0c16bb7f9866d23190

SHA1
48a802e6b80c40decc5f7c4e698f7cfcf5a27f0d

SHA256
aef8b2846256cb4a8f2bde75fb8166eec53980160dd879a98d65747409fcba23

SHA512
22b684a63c31c6fd2d5f6fd0c761b67f9f3e7fcdd35b07e825b09c75046f9c0d48dbb36174f046b5744308664d6630c1f5fd5d77a77f5b2c13cc71dad06c1550

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
304a4483d218646bba4261f5f97c078f

SHA1
05b227ce7fdec7a3f3490abce8464c06ffc07445

SHA256
5f0e7c8aeb861895803d14fa7f33367f387ff26149d2c83871f66cde991bffc3

SHA512
85e0cd84acb7e9d75c89b36cdd0413cf0b7910d1a9f4ce5e07922c29a11a5374aa4b8842f40a3ef71ac0ddcdd5c8235ce3e04bc8e60c8a0a1183d9b47edd41de

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
592d05adfd835528fe3d33243cfc3a13

SHA1
f0b1cbffefe62dfafd8a329cfc2d676a9d8e3223

SHA256
277f51080b7009c6129191f05de5462b8828f52e462314c0c384f8df94db6e06

SHA512
396ef1b5160b3ec3457d55674cc9d00daeeb22bd8be7a71b8c678ba562aaac77686c4d1d45e12649ed66f3ed85ee677e1fa322d428dd53bfddcb49e55ff5f52b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e53d7d5be122445251371a5d7c1ad547

SHA1
be4c46f6e3ba14f7a13336ab7d951580fc4ad3c8

SHA256
7c84f3527aac09d7fd19b44050aece6881b3c86f414580bd558a5bd2bf9dccba

SHA512
f816902aa97d4c38c8dc188bf2432bb3354eb00a52fee859b4340d600e1fdb54fb712fe89e5ed56de83300ded573665d0e55b544f34b4fed802659d2090d1566

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
316201a11debb1d5e0d308229a5aa8d8

SHA1
c7d94e3fbce39fde6cd259401f9a9d670b40c7b4

SHA256
c172eef05ba38f2fc9541af974031ac9bfb6ca25177beed0d1006d8f322f4f2e

SHA512
8bb213c4e0945200107f82be5af974d00dbf5c6cc7be18f645842188aa23b00179c62a5575d773ac27c24fd2a2cb43bdd56a07602ca7007356794a9a9a11dd4d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a326277b6202f2fb5a79e90faaf0542a

SHA1
5dac78daead0b0f554aabfdd9c6ef33a5f4e2bd2

SHA256
db8f0eb48ba05601046585c23ffc75cc99790c9f78c68b489e7835781443fe46

SHA512
4fe040448c81e6a57951422855405d9df5012f248d10ff7c3fdf800c113882928bb8e9129f4603a597b11e0b8b340d05479dc2e3812df43f35ae84a326bce516

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cccc873a5d6b3a11ee2f4d0f3034b273

SHA1
85206494f7e02b3ec1fcb89740ed87520e99609f

SHA256
ed26a14027e949da63572cc85e7f249894a78a5ba64c0fbb7332595513296803

SHA512
e9e65e317309ec51a599a426a2abdcef349eedee92c1c979ead6735fbc83e7271b9b4d45e9621d42cde3006bf41ad278a3e7d3bf8b137490d0513e94c3497e94

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d4c3fb3bc36287d82d321e03f8d585ab

SHA1
f5696ca4b4f4e2943588b26cef1cee78c548c6ff

SHA256
dd9153ec424144c7e2f119c54753f6dc76a778e2becfbcf6601f9665d250b081

SHA512
a86cdfb3c71c36c0b4287a2cc3c8fe55613b61933c63683f8eb4b7114c8c1c8b87dfc9817367d167b99b1063ad15e356e25f08140756412c36970622a9bfaa8d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
647ff72584e7a9fdbaca49fce75fe6f3

SHA1
6f9db868071475f76e7c152e6f6bfb81dd56acb6

SHA256
c93531a47904a58f1c14f52bdf4d2bb9b56e54c4f59b145bc67782907a8505ed

SHA512
06a37eb7d433a5432f42c184bc0152144f574532befaffd66bd9a6ca277487eb32ddd49cb3acef49712b20863c6e1573ebfe143afbd0f57b3840ab083f3e2deb

Download Submit
memory/488-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/488-163-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/488-157-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/824-278-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/960-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/960-422-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1064-189-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1064-181-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1064-187-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1264-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1440-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1440-498-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1484-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1484-338-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1484-200-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1484-203-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1684-136-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/1684-339-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1684-530-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1684-134-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/1684-139-0x0000000007C90000-0x0000000007D2C000-memory.dmp

Filesize
624KB

Download
memory/1684-138-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/1684-137-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/1684-135-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/1684-133-0x0000000000E90000-0x0000000000FFC000-memory.dmp

Filesize
1.4MB

Download
memory/1844-463-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1844-421-0x0000000001200000-0x0000000001266000-memory.dmp

Filesize
408KB

Download
memory/2352-311-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2672-362-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2672-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2672-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2672-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3280-413-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3280-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3412-177-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3412-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3412-169-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3412-324-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3808-326-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3808-499-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3944-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3944-555-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3988-707-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-711-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-751-0x0000021B6D2E0000-0x0000021B6D2F0000-memory.dmp

Filesize
64KB

Download
memory/3988-746-0x0000021B6D0D0000-0x0000021B6D2D0000-memory.dmp

Filesize
2.0MB

Download
memory/3988-748-0x0000021B6D2D0000-0x0000021B6D2E0000-memory.dmp

Filesize
64KB

Download
memory/3988-750-0x0000021B6D2E0000-0x0000021B6D2F0000-memory.dmp

Filesize
64KB

Download
memory/3988-747-0x0000021B6D2D0000-0x0000021B6D2E0000-memory.dmp

Filesize
64KB

Download
memory/3988-713-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-712-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-709-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-708-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-749-0x0000021B6D2D0000-0x0000021B6D2E0000-memory.dmp

Filesize
64KB

Download
memory/3988-704-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-710-0x0000021B6D0D0000-0x0000021B6D0E0000-memory.dmp

Filesize
64KB

Download
memory/3988-694-0x0000021B6B730000-0x0000021B6B740000-memory.dmp

Filesize
64KB

Download
memory/3988-696-0x0000021B6B740000-0x0000021B6B750000-memory.dmp

Filesize
64KB

Download
memory/4000-231-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4000-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4000-382-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4064-222-0x00000000014D0000-0x0000000001530000-memory.dmp

Filesize
384KB

Download
memory/4064-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4064-227-0x00000000014D0000-0x0000000001530000-memory.dmp

Filesize
384KB

Download
memory/4064-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4064-215-0x00000000014D0000-0x0000000001530000-memory.dmp

Filesize
384KB

Download
memory/4236-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4388-254-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4504-462-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4504-280-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4588-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4588-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4588-310-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4588-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4588-144-0x0000000003260000-0x00000000032C6000-memory.dmp

Filesize
408KB

Download
memory/4588-149-0x0000000003260000-0x00000000032C6000-memory.dmp

Filesize
408KB

Download
memory/4608-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-401-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4744-577-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4928-552-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4928-366-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download