blustealer | 66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Size

1.4MB
MD5

348bfc0c42d7254bc63e482c4173fea8
SHA1

ef6a18df4c2d04c6c194c5cd959e714114a402ab
SHA256

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8
SHA512

ebabb70e503b8631210ce53d89c03275b190823e85fb1591216022c575b271cb981b2c93f63989b0179bfa6fbd807c11d1cafd43d335d2010d35b9ae9f21be43
SSDEEP

24576:+3y9ZjI1Uw2ojP1WQ4C8KJ/Ixl2KVpLNzwOKb3uR/kCrVKoNZXgUFqssP:B9Z0xWQTJ/uAWp53R/k+VdQW6

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
752	alg.exe
2452	DiagnosticsHub.StandardCollector.Service.exe
4468	fxssvc.exe
4308	elevation_service.exe
4568	elevation_service.exe
3840	maintenanceservice.exe
3788	msdtc.exe
3572	OSE.EXE
1836	PerceptionSimulationService.exe
756	perfhost.exe
4896	locator.exe
1932	SensorDataService.exe
4708	snmptrap.exe
4068	spectrum.exe
2832	ssh-agent.exe
2424	TieringEngineService.exe
948	AgentService.exe
4944	vds.exe
3868	vssvc.exe
564	wbengine.exe
3712	WmiApSrv.exe
2084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\vds.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\locator.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52d9a0cdc9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4124 set thread context of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4120 set thread context of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002045ce688882d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000785400618882d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd44dc638882d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066e406678882d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab2e80628882d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7977f688882d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f90403668882d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320522668882d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb1535668882d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
684	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeAuditPrivilege	4468	fxssvc.exe
Token: SeRestorePrivilege	2424	TieringEngineService.exe
Token: SeManageVolumePrivilege	2424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	948	AgentService.exe
Token: SeBackupPrivilege	3868	vssvc.exe
Token: SeRestorePrivilege	3868	vssvc.exe
Token: SeAuditPrivilege	3868	vssvc.exe
Token: SeBackupPrivilege	564	wbengine.exe
Token: SeRestorePrivilege	564	wbengine.exe
Token: SeSecurityPrivilege	564	wbengine.exe
Token: 33	2084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2084	SearchIndexer.exe
Token: SeDebugPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
Token: SeDebugPrivilege	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4124 wrote to memory of 4120	4124	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	92
PID 4120 wrote to memory of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97
PID 4120 wrote to memory of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97
PID 4120 wrote to memory of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97
PID 4120 wrote to memory of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97
PID 4120 wrote to memory of 3584	4120	66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe	97
PID 2084 wrote to memory of 3144	2084	SearchIndexer.exe	120
PID 2084 wrote to memory of 3144	2084	SearchIndexer.exe	120
PID 2084 wrote to memory of 116	2084	SearchIndexer.exe	121
PID 2084 wrote to memory of 116	2084	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
"C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe
  "C:\Users\Admin\AppData\Local\Temp\66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3584

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:752

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3788

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3144
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a8eeda03ec1a2f4ceb77323409ca42ac

SHA1
2480e87097201c0861ec8d4e92aec50736f28112

SHA256
b185d6707d7995ae0cebad495b9b63ec1e35d3509615a7bfd9cea10239b97049

SHA512
65a7b0214ee82819ab8bfc79003525ba21cb3d32222ed754244b21f7e9973b0069b22173e0cbf306fb9e05b5238e42c1bd4d2f7f47794f41f47f291605a0b4f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
68f27fbb4897c33b6e34cae67a51752d

SHA1
2e2a5d97192ece20d89dfa7f74ba65aca5de7edb

SHA256
8b68debf3576eaf420cc0adc45f6619462adff1ed09794a2a9402ac00dd07df8

SHA512
d84965e0cfae6140a52b6ac7c66f075bd159047a36403256f325e7dc7f9e5ff34b8469a405ec51637d6258bedc516b7ffef20a2c6173f4346c37c33f916babc1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
68f27fbb4897c33b6e34cae67a51752d

SHA1
2e2a5d97192ece20d89dfa7f74ba65aca5de7edb

SHA256
8b68debf3576eaf420cc0adc45f6619462adff1ed09794a2a9402ac00dd07df8

SHA512
d84965e0cfae6140a52b6ac7c66f075bd159047a36403256f325e7dc7f9e5ff34b8469a405ec51637d6258bedc516b7ffef20a2c6173f4346c37c33f916babc1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.4MB

MD5
97f22db396612b50ff63fc124743373a

SHA1
533aea9b679e8265b987c3eb31ecdcfffc145dac

SHA256
eff7e90ba2440401eeea7ee0449e3cbeb52d4d4baaaa560eccd813008d86585c

SHA512
8fa8d6234a6591567c5c0f656345d53b626b71ff110b1213e370da96aca01f10699f8fdafa2033a62d5bc8bca6d48cac0383d0bed5e451faab3ca690fcb9af93

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
a7278ba0e982a4fa3b42f2b0b000433c

SHA1
2de4c5a4a91a82078f23cf4e8be650e489a42e98

SHA256
aa90c54468b21c3f762d5682c06a2ea9360c82e47e96c8a065996bfe572a4790

SHA512
4067805b21e290631dc67a11221bcf6a296ba95ffd61563897eca4c7a70396c137b33ec262f4ae6b30a432ec6be5e5d070fd4232c3f219d2f81e4d3088882b16

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
e6aa4ddd4e47423967d7a002d494b8e6

SHA1
93e5ad3932ccf4ee16adf9c2e5051c2dfac1d43c

SHA256
53cacadedd1cf19260df7a6169ac0ace8bbfaacd6b915b40a1606ca4abfa55c0

SHA512
6a6108facc4c27e8d863a1634e28a124425e1a819860fe7f5616149153e26b63ad9d1c640bef5e1e9e3e604b149bcbd948e044498918eb9a737c822c170fa79a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
860f6979d4ba897bf1daa3f388586e1a

SHA1
13f4fd79fb60b1a2aba43a827892ed26f6fa3790

SHA256
b728d2b883340f6766ae1b2560c55889610ea9ad3069b484b57bba0e04a939ad

SHA512
1f30aa56afe9d7fc132574f6260467c97f170375abf7d2af428a71709fe916111cc14076bccecba1bc7d242a8f583091b842869a3b6ae995423a6fb793ba2a19

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
aace12cf8ad6bc03b8614d8c73fe4b52

SHA1
d64ed9b8d072708b6159e6e43130e5ce6ea6cfec

SHA256
70a3875fe2d6065b5090690c5d6b4ccae7feeb476ad2c9701684b18be9126378

SHA512
643103b05f99b99cfb687240546decc2360896f44b97271eb37d334c277c206ffe678b1aa1a94477a1657c9abe7b50dc875c79aeff0055b0e2e90641289d830f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0c0e1d3f532ba2f28b5b13bb7631dcdb

SHA1
c1c55fe10b6b0b75e04de384fb745db91ff60da8

SHA256
3ff5f1d13cbf6e26c643d583b044aa93a23ea3b217754245842d7fe60b8a4cb6

SHA512
95e2fc4d108b1df630e2a6a50f491cf061563f805d7bf052ca7d648723af7257ac60650337b3be73a0a5725ddb3e32dcb6f0e17e85ad245d5420de515e4195b6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
88b0ce46fea49d9206d1800cc3d2379b

SHA1
88f21a3e5b8601388ebcf90f86d109966faccc18

SHA256
aea619d99872b0b9b8576b7c129611efdf7006673b30e5e139a40f951dca1cd0

SHA512
d3e9fd31d2340a8d4ec727149454cd1e78098d1dedc8d3d0eddc73509114c9131c7bc195012fda31415c0a4998c9a7b3c12345e08f4c341b7d9b191f0e28c42f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0bfec71501b3d1aea97f233f65923467

SHA1
12df31d390e2a482f5e3938dc3e5b139e7e04efb

SHA256
0e41590c184ea54593aa82cc511ac110302c6332f066489a6134b05eaef2cbed

SHA512
946e71bff692b06fe1fd7cc2ad75d39842379609efaa3af47d1969bc56897094ee5173a723f02bd139cfc0c38483ddcff60f126bde4df75e7d5456f4d40ae709

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1648c94abab7b973ea59691917184c89

SHA1
f6dfb641945d200aca2e4bd4e3f93a9d21ae1734

SHA256
4e945148a87844e35ed1124bc81e3e8b54275187a79cd2b9dd8f2ac536277e4d

SHA512
c653d1e68c8e08a3bfbf92960a6c02b27cdd09744853614190c8f0df9d823234686754db9b12f7492a1ba0a583fcdded6dcb2909794c5f9bbe6a51b3273367e9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
46aa504f355454c5076af5a2f99b1753

SHA1
d91d1ea004eadd02ed0c4a944f7e128a57ad5e48

SHA256
a2c53f8c2d2348a20cb431911131fae7ae2a6a07bc158cb22af8d756e3096947

SHA512
7dae03c65da2d10195523790eeea54fb0092a7576b644b37fe549888d9d9c510d5a373b7803936b561fc537efba66a5c09ded95a90f03a82bbb791ea2bf8e7cf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
970b01f05cd7d481db75a96b3efff261

SHA1
444153bad425f9f83d0e628bd95d9f00dad81d47

SHA256
06d5d52826c10ed08726cf0497d46a33dc68c5f6f1846aeb70323deb4c0ce91e

SHA512
bc3fde54e3c5e66ff4c587a5e3cb8d8ab6195ecd34c0ceaa4796d1c2094085ca7bba7b201d772084c9c7bb9fafc3c65e619e20dfe197b4952782b0a561199944

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
970b01f05cd7d481db75a96b3efff261

SHA1
444153bad425f9f83d0e628bd95d9f00dad81d47

SHA256
06d5d52826c10ed08726cf0497d46a33dc68c5f6f1846aeb70323deb4c0ce91e

SHA512
bc3fde54e3c5e66ff4c587a5e3cb8d8ab6195ecd34c0ceaa4796d1c2094085ca7bba7b201d772084c9c7bb9fafc3c65e619e20dfe197b4952782b0a561199944

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
05b41235a191ca7d68aa760f9eaa0a0d

SHA1
ad0bf895c5068026241b1664eaf167df01ca4514

SHA256
f74e8ebafd186ebe5aa79a3437f8edfd607e1dd9a2372d19cd4b8cbc7725dae8

SHA512
1056fe93efa19743f09c2ce2ecc8af2c99f988e63c34298a4b199d9547292b9baceccea695b4332107fa14514434fc8b4e56b833c270b0b4675756646ae7c76d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8658beb346ff2dc2a40cfae1d04b104d

SHA1
695ff3c35a0a3fa6c0593bc2532e918d7140d874

SHA256
ec552476d77edcbb0ad211063dcf07dd5c157b1178647f6fd12d3773bc6582d7

SHA512
b6960f27bc0ecc303989d339de1240fbeb2df6a1f9a6ca3cb744f6dc0551afa41e2d568523faab75d79ec58b1eb8e7624fb556ebead1ec51cf03e5c34789c153

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ffe16d5435b29558886cffe8e6a4a39d

SHA1
5ca80702fef6275a57221f374da8d24adb15cb78

SHA256
0627cf3fd9a94b28b2379d71923cfddf14a3919773c5bb81209f9920dd9eaff4

SHA512
73087dd4eef7a4c1477f0fade520dbfc7afcdbaa2f44633bbe1b729e5788b62b5b4a4aef590810e4b4c794dd5779fe9e68b5324ee7e2cac090b55a7d4e7434c6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ffe16d5435b29558886cffe8e6a4a39d

SHA1
5ca80702fef6275a57221f374da8d24adb15cb78

SHA256
0627cf3fd9a94b28b2379d71923cfddf14a3919773c5bb81209f9920dd9eaff4

SHA512
73087dd4eef7a4c1477f0fade520dbfc7afcdbaa2f44633bbe1b729e5788b62b5b4a4aef590810e4b4c794dd5779fe9e68b5324ee7e2cac090b55a7d4e7434c6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
18fdf18ada4fe271d051e151eabcde8a

SHA1
d12a1c48b8435bdb671f57c7098cf0e15ade78ce

SHA256
cc450aba957528242f5f2d7c1aff85336af0445bfa40615811081664b0645e03

SHA512
8ebcdfac7ab38810e9a16b0d823d782888b890f213e1cd7e2c2ce6036d1ea950f2d0e7bacc1dbff2246accdea137b36fb08b1342e3e9a4d313eaa4663024c5ed

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0f0ce30083c6aa970164e7a74a0b503e

SHA1
7080a797e0741d35ca69631e18924aebbced7186

SHA256
2b49779c844e5936794f4f274f4fb10c6d1ec13161ab846ba3b0247459387eca

SHA512
662320fdb8411fc966608f2227608d4e9b69e0e00879295fa552b59cfcf2435c037e67f6d4f82d1d511d2c9e7af5e4f2b9dc70edf3718cf5bd7f1f9e0e24e1a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d7d7da5b741c29531313ccd4ae7f436f

SHA1
86f9f1ef1cc4b814157c4f5854e334614e97f7fd

SHA256
5bae06273e2622f82b8cf2fcdd57d97bdcca9b8ea3c48a91f009dc52558b94bf

SHA512
e3abd890b6713b74254868fd8e4d1be279e0159054d87457a913140ea693f6ebbd6557367efadb7aa2b0f7e16d3484c93f4bd15f019ce64a9d854aae56b09b1e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a482762204a4bf7fc087a46845c2feb7

SHA1
d6b40aaf89a5a69842f5bb525d761b61a31bdfdd

SHA256
1008ac8b1eb8e79333236c906a8f2cc67cb303e8b5036e8239b43985737f0b0c

SHA512
19a66e2941b36f5e67dd22d6c65af6aeb8620069e3fd79d1a81d80c24a7fb0cd4fb85dcff2b87316425450da09951ce3e223545bb77dcdd3e1272418c43d54aa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a3ec0e96c549ec88c78809ad31878324

SHA1
74a05ccb6aaa0b13104b32c3cbd884cf714f80e9

SHA256
ce8d9a872def851fe8d770b349490598feed9d23c7935fac44a7969a757c1479

SHA512
cd0642609fbb8ac1d3d1d0eb02bf6392a629d4caa189fd5a068abd855798188200f98790d32bd131d67298eb6dcfdc7103186d5fdf7a22a6e340efc8d2bd8b38

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
972c81800cf82cecc91cd109a03cb0f4

SHA1
20c1bce40df45cd4f8494c5e4387e419fb7cc26a

SHA256
afb143355ad87221817c49a1085a108c1ef0648c5e473ef26a02b28e79061450

SHA512
1a266c98b8111857aea86872f479b83ac0274c471456842f5bf82a1dc41c1aef651b160dcc0538c4b226a72e467eb9ca9bd3aa9d80366856c8b0e8cdf5a4ee8a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
88a6f1fd53cc5d57a0bfd2589f2234f1

SHA1
fbaa6c213629d3b74ed82ed90e732aa467e0c180

SHA256
c9ca94857f71dc15607cd6fcb5acdebd7b31f6fe6d1e89dc89d38fd80662986f

SHA512
37aec065dcdddb6ffece29a5f8d1293014088fafe0ea56122c7321fa60738b4d6942d8e79b365cc59a32a59ecd87fea848442ef9bc9218d6bf8de67e450c3692

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
74f9a5956247268108d97f092bc2aaf7

SHA1
4a0b20708ba316a2a619e38102aeb19355e5f5c4

SHA256
897932e1930711510c769e7d175e4fcb09bc01b71e974f192f1a3c0849e1b33d

SHA512
44d3506fc281d358420b5c89efee2b2f78a11264fd44ec9b2b242f0f1d9089950d20818b87cf0c7110e216c9aeafa030276423d259a0af1d70fb072e22f315bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f49f45b16bfea93a1a62cab41e567e44

SHA1
0464b7b103e9ebe37c25b05fc24e1f7c8310d2f9

SHA256
399f7b63bc7765b9da7309b2dc84e16ca4f825fd1f4caa728a2a422577aea22d

SHA512
9625773b732e29d300934b478fdae37020617bd9b1adadcacf506eb26c8959079149ac01054f470fe6ef367d85e07e24e99787a975512cf15020e7f906b6e95d

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.5MB

MD5
9754e7313aa427964949ae571e15e434

SHA1
449fabadf604b87a7bcc1a4be226cc3cab721db5

SHA256
e6bcb8bbd1150d96ea580c5aff0926283e84ec775bd67662781d6ab75c63c858

SHA512
d43eff4fcfd872f49e4e4da0b96972ad22bd9f14d5d788b33ed84ba87f4f77bddecaee39e6c7c5052790a1f7c67f8437b259d39acecc7f8043abecb7fe08bbc4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2a582e215fcddd19fe83fa315a4c3629

SHA1
6c75c732c64da6d312c956bc5bf9febd44bbaec0

SHA256
20df31d247236b91403f45a7221232b96e440284af6d3d92d55fd1094d4df6e0

SHA512
4c8aaa34aadf72664dd48117c1b3138f7019ed4d08ecc8424b9760f44d866afe4888fa146ae7d9ce2419733cc5725bb5386bf3e19c41770604d11ca6111e6037

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
43f5d43a48ca35020f47c13d9499b134

SHA1
913950bf0984a2f2745a054602146df4fb0052c2

SHA256
6ea6d433499d3708381448f22380f1d1f58c462c35d6a310990442b0d9e93a6a

SHA512
c628b077a04d8216f2640c5b01ce8ff53cdcb529ef11199c85f896cb6e30fafb6120073a68c842aeec074cdb8835b258087506d9b97a8585d3dda2508598944d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1648c94abab7b973ea59691917184c89

SHA1
f6dfb641945d200aca2e4bd4e3f93a9d21ae1734

SHA256
4e945148a87844e35ed1124bc81e3e8b54275187a79cd2b9dd8f2ac536277e4d

SHA512
c653d1e68c8e08a3bfbf92960a6c02b27cdd09744853614190c8f0df9d823234686754db9b12f7492a1ba0a583fcdded6dcb2909794c5f9bbe6a51b3273367e9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3254853dfdc418f3de4de08b39d8a00d

SHA1
52777b2bffde76468c7c574bfe088e7ee04b77e1

SHA256
bc41cec9b7da1ed2f4d6e7ace9d2286760932cc944cc85fe2e7809f9c2f7b89c

SHA512
f61aef2afda8fdf3175f297637463043f8e15f9109b8f465b033c57eeb02975fc75c177db83738c0b91ae230dd2fc58dcf4101e02148f4807f00c3c0c778b560

Download Submit
C:\odt\office2016setup.exe

Filesize
1.4MB

MD5
daeaee75f708f1573e534723f6a2433a

SHA1
74a55e76e8b4946e778c64721eb3da46b068f451

SHA256
777dc0bc2144356a481bd1ba8b8b1237b57580f3b848eaa0cf846f8a780ba3b5

SHA512
e3b291f020474ced81ca63972ee080173a7c8bb0a3ef60daa420b13f1d2d132489c50ae209d3d1fae60bfb46239801308178317d58da9ab222213300dbd2440b

Download Submit
memory/116-626-0x0000023377CC0000-0x0000023377CD0000-memory.dmp

Filesize
64KB

Download
memory/116-628-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-627-0x0000023377CD0000-0x0000023377CD1000-memory.dmp

Filesize
4KB

Download
memory/116-721-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-716-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-715-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-714-0x0000023377CD0000-0x0000023377CD1000-memory.dmp

Filesize
4KB

Download
memory/116-713-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-712-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-711-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-710-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-629-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-709-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-670-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-708-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-707-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-671-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-706-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-672-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/116-673-0x0000023377CF0000-0x0000023377DF0000-memory.dmp

Filesize
1024KB

Download
memory/564-386-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/564-625-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/752-156-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/752-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/752-162-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/752-407-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/756-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/948-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1836-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1932-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1932-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2084-412-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2084-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2424-592-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2424-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2452-185-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2452-170-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2452-176-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2832-344-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3572-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3584-190-0x0000000000B80000-0x0000000000BE6000-memory.dmp

Filesize
408KB

Download
memory/3712-410-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3712-633-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3788-233-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3788-535-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3788-234-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/3840-228-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3840-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3840-219-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3840-225-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3868-624-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3868-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4068-591-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4068-318-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4120-164-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4120-405-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4120-149-0x00000000031A0000-0x0000000003206000-memory.dmp

Filesize
408KB

Download
memory/4120-144-0x00000000031A0000-0x0000000003206000-memory.dmp

Filesize
408KB

Download
memory/4120-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4120-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4124-136-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/4124-139-0x000000000A9F0000-0x000000000AA8C000-memory.dmp

Filesize
624KB

Download
memory/4124-138-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4124-133-0x0000000000340000-0x00000000004B8000-memory.dmp

Filesize
1.5MB

Download
memory/4124-137-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4124-135-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/4124-134-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4308-195-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4308-210-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4308-202-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4308-505-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4468-192-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4468-196-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4468-188-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4468-187-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4468-180-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4568-215-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4568-208-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4568-503-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4568-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4708-317-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4896-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4944-607-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4944-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download