blustealer | 66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpfkfb5hd.exe
Size

1.4MB
MD5

348bfc0c42d7254bc63e482c4173fea8
SHA1

ef6a18df4c2d04c6c194c5cd959e714114a402ab
SHA256

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8
SHA512

ebabb70e503b8631210ce53d89c03275b190823e85fb1591216022c575b271cb981b2c93f63989b0179bfa6fbd807c11d1cafd43d335d2010d35b9ae9f21be43
SSDEEP

24576:+3y9ZjI1Uw2ojP1WQ4C8KJ/Ixl2KVpLNzwOKb3uR/kCrVKoNZXgUFqssP:B9Z0xWQTJ/uAWp53R/k+VdQW6

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3852	alg.exe
4752	DiagnosticsHub.StandardCollector.Service.exe
5072	fxssvc.exe
2032	elevation_service.exe
1956	elevation_service.exe
3944	maintenanceservice.exe
812	msdtc.exe
1836	OSE.EXE
3836	PerceptionSimulationService.exe
1828	perfhost.exe
4136	locator.exe
2200	SensorDataService.exe
1404	snmptrap.exe
3524	spectrum.exe
3544	ssh-agent.exe
2292	TieringEngineService.exe
544	AgentService.exe
3152	vds.exe
4856	vssvc.exe
3340	wbengine.exe
5064	WmiApSrv.exe
2016	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\alg.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b555861c2f34055d.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpfkfb5hd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 1608	3396	tmpfkfb5hd.exe	90
PID 1608 set thread context of 3968	1608	tmpfkfb5hd.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	tmpfkfb5hd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7275D8FE-3105-4FA6-AB36-BE5FAD0C0F2A}\chrome_installer.exe	tmpfkfb5hd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpfkfb5hd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4364c2eb87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb971e21b87fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096e80d21b87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b511d720b87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084eaee20b87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0fc312eb87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035bf552eb87fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	111	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe
1608	tmpfkfb5hd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1608	tmpfkfb5hd.exe
Token: SeAuditPrivilege	5072	fxssvc.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	544	AgentService.exe
Token: SeBackupPrivilege	4856	vssvc.exe
Token: SeRestorePrivilege	4856	vssvc.exe
Token: SeAuditPrivilege	4856	vssvc.exe
Token: SeBackupPrivilege	3340	wbengine.exe
Token: SeRestorePrivilege	3340	wbengine.exe
Token: SeSecurityPrivilege	3340	wbengine.exe
Token: 33	2016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2016	SearchIndexer.exe
Token: SeDebugPrivilege	1608	tmpfkfb5hd.exe
Token: SeDebugPrivilege	1608	tmpfkfb5hd.exe
Token: SeDebugPrivilege	1608	tmpfkfb5hd.exe
Token: SeDebugPrivilege	1608	tmpfkfb5hd.exe
Token: SeDebugPrivilege	1608	tmpfkfb5hd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	tmpfkfb5hd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 3396 wrote to memory of 1608	3396	tmpfkfb5hd.exe	90
PID 1608 wrote to memory of 3968	1608	tmpfkfb5hd.exe	97
PID 1608 wrote to memory of 3968	1608	tmpfkfb5hd.exe	97
PID 1608 wrote to memory of 3968	1608	tmpfkfb5hd.exe	97
PID 1608 wrote to memory of 3968	1608	tmpfkfb5hd.exe	97
PID 1608 wrote to memory of 3968	1608	tmpfkfb5hd.exe	97
PID 2016 wrote to memory of 4756	2016	SearchIndexer.exe	117
PID 2016 wrote to memory of 4756	2016	SearchIndexer.exe	117
PID 2016 wrote to memory of 4540	2016	SearchIndexer.exe	118
PID 2016 wrote to memory of 4540	2016	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd.exe
"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2124

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2200

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
72af38466458274df2a8577889e27252

SHA1
b2d0f53b8a8eeaddc7e45467d8d44d32be03bbd0

SHA256
be024912b8d8d7363bb170d27e427d274a40cab502159bed5f39122db3672644

SHA512
980640ab062993bcaac17cee7a07f9d14d2ead70c9b4e65e1611ac0eb1684565bf103d8e6346346d083e059a1bc0e7fde09504adfe3912b1cc026ebbc154997b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5c1233ce714d1a701923f99879b3dafa

SHA1
44d8e9ef5351a7ad889e38d34d04ac94239223f2

SHA256
f14bf25333e504beeb0bbd956be81d66b0b539554ad375bad2eb5441693f48aa

SHA512
70da8dcf9f8a3e5672623735de354854e4ebf7e10c024e0c7db6a3877b148a32c362472d1dc85f64fad84ab387c07a9ac022b16dc6b8f9f3aaa7dd3409ba711b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9554de6242fadeccdc6e063302e747d3

SHA1
5d086267cd2434664734da5912cc264e92ed5d13

SHA256
6a05ab7245e9d5fb7a4f544cda8e351052d8e93485deeaf72962a1f19eff542d

SHA512
a8ba7e55d7309fea9f5da84c1a2e5bd82351fc8d2db38c8176af170f107b16bf5d2be66d6a50df23713a0670fb8b57bcbe7bf1f51181fc2a92d44378a1fd0f90

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
04e21674277af1c251004f9e72989bc5

SHA1
642a01de49e77bf98d9ccc6c40050e8811901e46

SHA256
7fe43021786ce3ca52650d72901e5ef5a146e2afeef9e9dbc646f9414fa45c4c

SHA512
249556b62aeb88c11245572dff3961253c8ccfd2694f4e2474b36e3e1612e0dd1a23d4f0f37e74a0c0928f84f4d7d03ab8137f7ecb1d68f7ece3e0f374cdfd75

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
173c25a4441cfe6b6f6e8116f60f04fb

SHA1
64d8b8292c62266d03e4756653d8c4efbd9ea7f6

SHA256
971d19a88d988d53bf4098832359aa2135492c41aafad79877e32207f87f6219

SHA512
f16ac6476e8f77d8c55bd76f83c7a5c081b0384a179bb48732ab6a55e8515b6f66d5bd87302eb588a5b14d25070c529a9c4770dcd44ac3cb3856dfb94e7485fd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b059a529f041a3b7c95c7d8a72b54e47

SHA1
bf6f993ee7d286bb28f3fe7b76790e1103efc8c2

SHA256
0969da14ad498b4e3f127c3d7c86a3db3ecb1489172df2789b080691f031ebfe

SHA512
fa9b0c8409d82cfdbf38352d8b4abee36556ca099e87d8479bf4afae83438add1c91eadbd82a26c01c412ae6eca1710e80ca6e282f362d58d74f040284e99c02

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
44018245494d131da8bf1ee379af2cb5

SHA1
a64f4caa1b4bf38f823a0999b6f0d4e9564fbc19

SHA256
b074fcc8eb6900085c3497373b00a715d17004588bcd20362adf0565ca622fce

SHA512
e1dec04fe020c61c6b3defe497c75d6ba6ac2ee4eaf4c3f37fbe3b22319029002535871c63763c6819085e45ac0cca7a53fd1d0e70e8d2b02b9f14e2871d8285

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c5c101c6e3c4f86bd84bc1575fd3fc13

SHA1
47bc51f6ffc2416531cb0c36b05f22b24be743c6

SHA256
76639eca3de920e670364aa75fffff94073d093b7fe7a0c92b7fab0742568db3

SHA512
61a556c807e970b69d49b5299653a91cedb04d416104b7f9d047ea8fc836a63cb35a9df5d78041298dde33e5f11f7c324bf7ee0d2cf8865ceeed23a02cfcaa67

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
643044b00f3cf081adefb7a5937af632

SHA1
eb785bd57fa72ec205d90dc60129487c4117ce94

SHA256
54393430003bfd12ade757c880f3a24ea11831b3796efb6de50c89ce46c26b4d

SHA512
64e10b68c204be2184321040ce45f478fa032148393678e22b38c513cae985c77e227b6b8a486ea1a19dd3d52d8463f95d95760e78b26e18f82f3fbd270d4d22

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
61de13efb644b5e09877f6d9b2c2ec33

SHA1
56b078c75ccbea48e9d6d5556ab12fab6d8935bd

SHA256
0f6b3b70acf2e3f048baa65cf1558e96852a5bc57ae11b41a27100913e560910

SHA512
7907dc71b2fab8fa583e7d50a14d49a5880ca7d084a7333459d7dc4c33886534de304e866dc90a54655b338524cc5626445be3afec50bf6dba42c2b6604e9b61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
61de13efb644b5e09877f6d9b2c2ec33

SHA1
56b078c75ccbea48e9d6d5556ab12fab6d8935bd

SHA256
0f6b3b70acf2e3f048baa65cf1558e96852a5bc57ae11b41a27100913e560910

SHA512
7907dc71b2fab8fa583e7d50a14d49a5880ca7d084a7333459d7dc4c33886534de304e866dc90a54655b338524cc5626445be3afec50bf6dba42c2b6604e9b61

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
65109aa48716d882addf96cecf2de895

SHA1
1a309d9cfe147877d92f0e59c52258a0f88df132

SHA256
5b835f4b413e1883f53d00e4c89c0a78839d7708e7b1b6b338b6dc89db429694

SHA512
7a63e6989ee4fa633d500c4061001580d8565411d4e4291bf00f31fb039338bf4c14bb72685e6dbdfd725fa1942c2bd33525b0235359b90f32002c0228ea0be4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9767d69c1738d8cd31ed02a247a1e703

SHA1
50578d0ce6a8643023f4833dc34da3e45ae077ff

SHA256
c5acba30df670cb6e553feff812485a50056143c18d07a2a1fe6380dd0315dd3

SHA512
e2fc49c1ad53bb309ce6fbd84d772b1cfa4e4da9bdbd78c955ffdf9a30b6ecdef64563af8b51d505837f3f39ed6022c8ad539f466d590101b5d80ca0e8a079c6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0d9a27216d14e0f2bb9d435b336f1a0e

SHA1
e3baff3982fbdfb10c0bd52a0764670d47b1ef95

SHA256
cdf5f1c5fdcefcf1b011bc8ec5140ed7ad6bb60315e2c76f3506c95c85c1f759

SHA512
0eb0fe2a13e957c0b113c1efd1ebce51ac4a82bc75f4cedc78a12a94fb938a59d834aae46409bb07cd589bcb42302cfd6c61e58bfcf80e18897bf476da7aeda7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc097121bf58f7636177a42d95eaf542

SHA1
32d73e784ec8ec1adec1d4284225d5912f0af998

SHA256
f54fd935629154e25c2fa9688c2178e0ddbeb85178d875f4381785a19fcc72b9

SHA512
2e2937ad23f6595bafa8668267fb1793228f59b14c9fa5c58f0f43949ee35028df66fe4eb2509a6301bb0354a9ab279155b41177f17eb46a448cf3c47de97ff7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
11b96f6ebe7b742321ce76bbd8e772e3

SHA1
7836e034cda52acaca5957b879477d7ac8c9902d

SHA256
bf74ff11d5c6d322a332dd73360cb67db55c8934bdf6fbe2eedf81d81efc3434

SHA512
2227337282994d1ea8ff17c4d3a3866ea2e2924be503ce5efc51a7d03e0a944ece240ae54eeb5aa907165f05107398ddbd0b60a86a850b1064e692a1b7ec2965

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e36ce912376bab178c04c9b9497ee554

SHA1
f0fdefaf52464ef74520be6979637ddd00ec60ff

SHA256
65acfc76e9949b4fca793e0ec8cde7c5acc833bd5d98deb9568c0d80c828f63c

SHA512
26b0bb9aca98c5b83b91948ecdbfa9f11ae241cd6c35b5830901bfdb9b123d79f871c778354ee64cb01c1ed45a208206c874e2e06765e9dae6a9f7cf0e2dea6f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d93e88e5727e119d699006b3399409a6

SHA1
acbd555f48899e6f6a893219ffe16fbd761e1ff6

SHA256
e5bb8b538424bbac7cd101b75ef29f03c27fa15d4ba483f3f9539488675e093b

SHA512
75c2cd7a1bb0323cb3d0ea2d562198c4cd56aaf2efb83cf08f0506d4b5ff3f3be1d4b6117de6c1737b192ad5eeadf69eb25277dfd54a100eba1f4a7c922d5ef4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e3663481baf78cb09dc0f6b3b4e2a361

SHA1
bee2459c53c3074e8bff99623c9b9ccb40db5cb8

SHA256
4644c758dde2a2967b76907117aaeab857b65ea23bd3cb80cde5825f2c76e4ed

SHA512
f698698e483823b460061e8ce068759525d50ef77637ed3f81bfa342708629b4c552729af1f128b500af6d236bb7ae4cfb037dd73dcd4ac84fb6415506e739a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1f4e6a040ebeb2f4d37dd395b1ef4e10

SHA1
cd6b4d564979c7dc542993c050298604e300406f

SHA256
517921ac0c32f94fa05159a044d4a6282ef7242325a9d49d015d4399c2363128

SHA512
3be6a82c6828790ea3dd26b890c8f5fac0baae3413bfa0e75ac68658a1f3c80fb3f6e17d0325096f04b2539f0c7af5be9301a4ec27a960a2e5c41a6f6f024976

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d215b2b5c9bd1f60ff24fe15ebc25e27

SHA1
ad82208e3cf7c9626eab053c432b7ad19345dff9

SHA256
01fa9736c9a875028159a8cecd66fb23aff16e1cda6b28f895eea1297e0dcc56

SHA512
d0e3cd50735d582bf5980e8e1de9d65ce0f29f0f45c530f28d04f32a145fc27fdd4a0fd8236bc24e8fe02464cbce51c50decffe92c4bdd6f89782b5421c12295

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
eb517f3aeec0e3bb1370137113f3f9a8

SHA1
d0dccaf16635924ea21c756e256c98247a8d647e

SHA256
94a4d2c451dda9b1a13e8f2c53733e347df3828f78f4555404576e6d6babc275

SHA512
b8824655243ea3eb3109ceb0c2f721961a164a555ca6e0c62729723c62aeae31282936c14234d9a43388eef26fe5f89f7990650d72e7e4a0a90a6762b3366e78

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
151b381f691b77b7af2108d23c27df52

SHA1
8ced1292de361de88cbcae1876629d1a4b461535

SHA256
545045a6834a0c7b367327ca54e1f659b3d6ff164777195be86eecf48bb83e20

SHA512
588dec042ee3f1e9d726d5570fea50037e0b8d64b7cd056c72847a8e624d90c4a49be70ebfd5b3c4b9b41eea5aaffb3b91381ff3a1e637bd89ab84322b5aa464

Download Submit
memory/544-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/812-241-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/812-233-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/1404-335-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1608-145-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1608-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1608-397-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1608-144-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/1608-150-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/1608-142-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1828-274-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1828-414-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1836-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1956-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-401-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1956-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2016-420-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2016-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2032-198-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2032-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2032-400-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2032-192-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2200-413-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2200-301-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2292-415-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2292-342-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3152-361-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3152-416-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3340-396-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3396-136-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/3396-137-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3396-135-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/3396-134-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/3396-138-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3396-139-0x000000000A620000-0x000000000A6BC000-memory.dmp

Filesize
624KB

Download
memory/3396-133-0x0000000000120000-0x0000000000298000-memory.dmp

Filesize
1.5MB

Download
memory/3524-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3544-339-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3836-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3852-171-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3852-163-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3852-157-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3944-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3944-228-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/3944-225-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/3944-218-0x0000000001E90000-0x0000000001EF0000-memory.dmp

Filesize
384KB

Download
memory/3968-211-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/4136-299-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4752-399-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4752-169-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4752-173-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4752-177-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4856-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5064-398-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5072-199-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/5072-181-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/5072-187-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/5072-190-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5072-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download