blustealer | 7a62f4e361c2f327d6d3949e1d05ba5a9d36bf88e25a1fe567e037bbc8943a94

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Size

1.6MB
MD5

e90e41677f6030ffc3eac62929ced1d9
SHA1

edb0a2acdec33328a864ac178bfb0b42a2e0d444
SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
SHA512

a2e20c8b160c366baed60adca173587e5c3b94b811f4f52ac3aaab01a0301716e30cc7c7d2a426ee32a6df651021717e4fe097073610860a949e7933468e10fa
SSDEEP

24576:KRKQxWUF61/J27K4mgZB67gTsD6RROjiDefziWX2GDjGBXtnZYx:K4QcUFO34mg367gTOwMMohjw9Z+

Score

10^/10

blustealer collection stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
628	alg.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
4488	fxssvc.exe
2448	elevation_service.exe
4920	elevation_service.exe
3532	maintenanceservice.exe
4964	msdtc.exe
3808	OSE.EXE
1272	PerceptionSimulationService.exe
4288	perfhost.exe
320	locator.exe
224	SensorDataService.exe
64	snmptrap.exe
2176	spectrum.exe
4456	ssh-agent.exe
2444	TieringEngineService.exe
4828	AgentService.exe
3384	vds.exe
4312	vssvc.exe
3392	wbengine.exe
4308	WmiApSrv.exe
4128	SearchIndexer.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\alg.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\locator.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\vds.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aeeb5544c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 4432 set thread context of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081dd91f0ad7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4cd5ff0ad7fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
Token: SeAuditPrivilege	4488	fxssvc.exe
Token: SeRestorePrivilege	2444	TieringEngineService.exe
Token: SeManageVolumePrivilege	2444	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4828	AgentService.exe
Token: SeBackupPrivilege	4312	vssvc.exe
Token: SeRestorePrivilege	4312	vssvc.exe
Token: SeAuditPrivilege	4312	vssvc.exe
Token: SeBackupPrivilege	3392	wbengine.exe
Token: SeRestorePrivilege	3392	wbengine.exe
Token: SeSecurityPrivilege	3392	wbengine.exe
Token: 33	4128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4128	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 1964 wrote to memory of 4432	1964	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	90
PID 4432 wrote to memory of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97
PID 4432 wrote to memory of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97
PID 4432 wrote to memory of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97
PID 4432 wrote to memory of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97
PID 4432 wrote to memory of 3240	4432	dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe	97
PID 4128 wrote to memory of 4708	4128	SearchIndexer.exe	118
PID 4128 wrote to memory of 4708	4128	SearchIndexer.exe	118
PID 4128 wrote to memory of 4100	4128	SearchIndexer.exe	119
PID 4128 wrote to memory of 4100	4128	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
"C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe
  "C:\Users\Admin\AppData\Local\Temp\dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4964

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:320

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2176

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b9abdf8c6c91ad1573d15f337d319fa9

SHA1
b30c104926ef03133778a2880b907910fb80a83d

SHA256
6e44118d67ae58a710380de3063a7c311851fd177f436909a7451525f060943a

SHA512
f3759c553a32e0174c6b8c5415c2aedef84bbdf2ed81279055af8d2c87078c1c0be90bd56457879de6420a9a9608fd32a164add7b6ae2612ab871d6c009396be

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a15903e5a41650aef370bf16061f3d13

SHA1
ac65a9dc15684c20b33c6120defa888b93487020

SHA256
788125ca817c3f8a23a6e1a4c2de0df3e8fee6021912ae3ce9c8085f1ef73971

SHA512
5b69e8abd700182a6a7576d30d22a2fa649247dce3d32e2304986025bb5e7bef0364e50dd79fdfd4acc1edc8072ad95859db137bd812a105f314a3f0db62377e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
06d19ab10beda359839c5f1f480c28c1

SHA1
fd54d189602c6149ad0fca64ad28ff39a19f44dd

SHA256
cc6e1e62ec8175f8f2f477f1a9a523ea4de1e637b5cd68e4a3a2c72247658a86

SHA512
e26879592bf95b052eaf21fe73dcef3536b877bfdff88654b9fb47657f120be181716a1b5e6795a6dc62447d55a557482e524506480ed374ee4ac28fa1c2ad28

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8cb85cee2e7cacfffa65d1ebddc028f6

SHA1
c789edbc70170d067e968efccdec3f7985cf6371

SHA256
89e7d8584daa2c336305e3ae5369c3db12a323122a1e3fb3306709bc5133c3f7

SHA512
3833e26587a5c7794238028c95948df0c2136ffb043fbe7df16642aa3bc35ec7fb1417fcfd7c4dce7c7f5dadb226a588c643760f0deaa506b894d3db8af0eeb4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
dc1ecbcf21acae019f9f9eca1d72aa30

SHA1
9a026b8ca8c8842d0f23cd81ce79284b69e15501

SHA256
35886f2f5376ee073308e9720440d7a515274111377ef5d14c1643fd20ca78ce

SHA512
5ba4ea58b65cdef868875d6f5e3536dc3dde3c8729cbdb68e6a397be0cdfb6005515137eb668d34399d708f520dae9089ba24fba0fc81672460adf5719093a4f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3d810c213c7168b3c5cec2b91f38ea34

SHA1
b47f1d9f8a2f809219685659adfb2f45e07abfa1

SHA256
35498179e4816b4f9e61c378d751f39520c32dbc9c0fe25a248f8bf5437b17c9

SHA512
a3ad5a10483301a8e26e3b97a20a77290b8822102d7c84d9167403ef6252ab1c1ce8d409550ffcd92a31b5e48b5e027f11ef0f91921d57a7dcf79d67ff468bab

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ce6905dab96c71ab1381dbc86a912530

SHA1
62fff038bd6f43cd15c0acc4d0b4a191cd7b669f

SHA256
fdffde4cbae0ee436baa168e168881405dfc6a8214437720226f6f34e7cf9c56

SHA512
bd28d7823a0ba995aa1070d0204db019da8f676f8fb1a84bf8f10620af001ad103ce394ea9ce832955347675b18ea92d6e45da8d6dba0ddde74caf37e5963b95

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fd10e451d868f6f9b22f1a17bedc6106

SHA1
80024fac410d941f47138f3581ca066453844b8a

SHA256
06d8745edc28bb0e4b1b3b08992cf11120c0eddd355829d978318d7bb50b8f92

SHA512
7efd4d48f523de0a6483856af690882dd91e196036239c182034855a6076fe75f6fe2c230e46cfa0ad31cb0cf5d77ef03a70a9da347c1b9601b63fc23c27f2ec

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2faf285e17ddf5d529995f826cbd368b

SHA1
c99ad0244d895d5bae861691489aa28a906340ed

SHA256
73b966d3c1151fffec058fa7d30b88769cd65ded570619c7915a97ae9c061086

SHA512
6ed975fe2590fca599c8b701c2e202227454901fc0d1792da9321d507ed8fe88be76644c01186e4c9998ce491fb4986de4dec478455f7e79968e4ed8aafceb07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
859062bf1fa348178bd77038b800c20e

SHA1
d318cc8e2d868dd5e11a03947605422fcfde0638

SHA256
28c7f6e2d33dd26cc69cec4dec459c6d03dd38041557849fe073927eab6141e9

SHA512
9372e43a2aa4b7f077aae565df76640141888d2b7acbb537d218ece1a63d19f54af3cd12ddab1e572b1d8878b0236448efccce40a06f24836ba4c6fa1ba9bfc0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
859062bf1fa348178bd77038b800c20e

SHA1
d318cc8e2d868dd5e11a03947605422fcfde0638

SHA256
28c7f6e2d33dd26cc69cec4dec459c6d03dd38041557849fe073927eab6141e9

SHA512
9372e43a2aa4b7f077aae565df76640141888d2b7acbb537d218ece1a63d19f54af3cd12ddab1e572b1d8878b0236448efccce40a06f24836ba4c6fa1ba9bfc0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0561c5ac2447e22a0027e79006738ba1

SHA1
40c2db9918a6752cee176d252b886f21ec17f712

SHA256
9c1d5c21d4c87f7c80c70e4d4089d41e08274e3fd2d485f857bba0fe09a8ee1a

SHA512
d1cfdecf9112cc66a767d7e55b264979e64db0f99a6a1710ab89c6da737810ac4bd935de87ea04ef826e2e1b16593d52bed949717920b0fb64a2d5e4587c1761

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0d2834b07d13cbc4a685ecc190e6e7a

SHA1
bf275f1686ba1d458743e7ca5980991860441e48

SHA256
ecc4f14126b7425385161ce6c4afac4f6bbdc757480d9e44af2d95e724381694

SHA512
195a4a79ef3e771cadf015c671dd5c596015ea9d0e84e1056e9dea7a4326be8117b886f01d9f98a10d21be60df911809bfb8bd1a87ddfb71f9261100b3c97d7b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2540a4b46afde009307bcbe9a757583b

SHA1
66d006497b38a85fd648067bc5ea49de4a7a1762

SHA256
7cb2dbe989b101f452066ac1bb4c875599c9b3f1a32a780906f0007e4dde42e0

SHA512
849383eb95d3121931237b36665e24b8cb3b190198d174dc594f2c54870826283e9180934bcf5368e5bad38763314dc2278615a97dfbb851d652f25216874459

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f9b8ce0c10e7b811bf48e8aa4627ccd7

SHA1
45b7eb83878fc2f050b11455f30fcf5c95d73c66

SHA256
299f5eb1c2751e906314cadc9c83cbadd3f0889c43fc525bfe8f324fdb5ce1b4

SHA512
2ce88270d18e93d6d6add977596899f5944a75245fabf07fc98c9b1f6765ad2b83acb5fa30652251985a7d5da1cb4791dd87855384dc004f7ba8807e7587f7d6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6194b0c92d6204233f4d60c29056d3c2

SHA1
4d13a7b04fedd97e96b2c90071418c6b3e3e1b44

SHA256
71a6e42af599fed9c5ff52b8ad5b399b7cfefc18392f481115f1258546d302af

SHA512
c9b8a314c0f9f79d9730fa523fe81fd5da8d89d7c832c169b7259de4662baeb237fe07e918b5543eb31ccc4f21ee83df6b75c1cca22f7d9fd0a32fd7b21a9eea

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
548f96b2064d01061daf748b3257a2ec

SHA1
85d6bda4203bb27c65bd15c97e355c424e6c8aa9

SHA256
dbde3115c08691a2e594a3d639bf20d94149cd0b9eca61c51892aa5f633a166c

SHA512
62a664fcadcec523ad8dfd76cea03040ece0d2666dd409131ee703b05fd1c3f091a79ca7dc103648f9ad41373fa9d1b12d365dadf3a4aaa1e16c39f8ee4f5b45

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bf1592f69bafa0dae5a625a17077b7c4

SHA1
07ebc3b5a531fd74e64fe512f0e44c361c0d1ba6

SHA256
63ca586a6c35ea61f11c909c2608123664da6ad5b9986f0a7f47346cf0f887bf

SHA512
8af352d652b69aff96efce33e2eb4fc70d5077f28bde5448b1b5a67758e61ecb37808ae8092c8aaf263ebe97d5f4ebf027d9d6d174a790ed48eac838bf184791

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9ddb08921e349f8a727175c1c2f6954c

SHA1
bad88869bd3b378dfef68366c8f7c9c95335301c

SHA256
be3b6d1318619b5691702eea025184b63af6cd6056d2c93a820c91e19b0597c6

SHA512
5df802983fe695a4ad7f3886da668f3bf7af572f71932c3840b34817eeb920ddb1b15b3edc6afcdf9c8f2ac30f58a5b12a22dcc38dcc5b0cc8cef86c68e7e96e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2725a909d099e8b58f6ce23da568544a

SHA1
cf9dd472e1ec4c5809a70d0603df1c61125226b0

SHA256
fa80a38418c0f57dd04b2bf235c426a82a125807408a705ed0fef81c29219ce2

SHA512
3140001dc10d86c2977eb574c36f22db70c305e44f09ab819f5edd1abc87b5a56b352f535d7cf4419745f6229e42491317956b165e7737bdd64e102ea4fac7f4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4546d733a8ca0cab3f2aacf0e9b7cd30

SHA1
305faf1d335d456c125d807362f5997eaa7c924c

SHA256
3dfc485217e7868f659ebb94f020e37181541852ecffc475cddb06146688151c

SHA512
c432a3de4a5b2aa0ac3d72fa5c31c06149955611c505458edf022b58f5049e11f346599168de0da99fd7e7acd1431e2ca69ed2ea1b0ee62717f4025cd4346e66

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ed9b99da3de2220832a80b58dc924a4c

SHA1
688d73f0a1918f5005861fcff1f8a426587ec3a9

SHA256
5854f19e1f3a3a2cb106ec9f62e86fd67702d337c4349e3be9d822664a5e582d

SHA512
d752f59260c6f9f3d9aec294cc9c2bcffe73c3cfea87d849d7fce200e2b6bd4138c3494b80c8589e17b5541f78b1527cff2bd2c60f87a5f7b943d19d85a28e4e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
884fa33bfb37bfd1c279a51a79fc0c2a

SHA1
96a6561470b5410de7c01c28a26044208c5052c3

SHA256
84f162d4d83a7c28ec560d781e44ea206489980531e4c4180e7ee7037ad9e1b2

SHA512
4351385b7ca18253f734872f5e70087c2d633190c254b59b128b0be7e5d7f8fcebb1514dcfc475c3d2319e38bc1208de5eb5f8d048dfeccd67d3b3582465488a

Download Submit
memory/64-476-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/64-326-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/224-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/224-377-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/320-299-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/628-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/628-164-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/628-158-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1272-274-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1324-175-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1324-246-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1324-178-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1324-170-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1964-135-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1964-134-0x0000000000600000-0x00000000007A0000-memory.dmp

Filesize
1.6MB

Download
memory/1964-138-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1964-137-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/1964-136-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/1964-139-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1964-140-0x00000000075B0000-0x000000000764C000-memory.dmp

Filesize
624KB

Download
memory/2176-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2176-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2444-360-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2448-256-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2448-196-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2448-202-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2448-213-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3240-209-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/3384-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3384-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3392-420-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3532-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3532-229-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3532-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3532-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3808-258-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4128-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4128-467-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4288-297-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4308-482-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4308-422-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4312-481-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4312-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4432-245-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4432-141-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4432-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4432-145-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4432-146-0x0000000002D70000-0x0000000002DD6000-memory.dmp

Filesize
408KB

Download
memory/4432-151-0x0000000002D70000-0x0000000002DD6000-memory.dmp

Filesize
408KB

Download
memory/4456-341-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4456-479-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4488-182-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4488-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4488-192-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4488-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4488-188-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4828-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4920-257-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4920-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4920-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4920-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4964-259-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4964-235-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4964-234-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads