blustealer | e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shipment invoice.exe
Size

1.4MB
MD5

eaad3c08a1f393d748dd5e1a615b2b3d
SHA1

84a3f6c915201d6a662ad227114754aea6c2ee2c
SHA256

e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
SHA512

2090e33e11e3a0ec15052b4c1f32574da80786655f22c766046c536dd47f9b2608279a9562d5cf5107a1a28b0ce78dc0a13c934643919f067c8f6a89b3db489a
SSDEEP

24576:vzOB9fWDrP3eS3OzAMgzZba9W4tL40ze2mLpNPT8EWAinrixydMvD:vzOB9fW33ekxXzZba9W4tzeJeEWPiqM

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3952	alg.exe
1952	DiagnosticsHub.StandardCollector.Service.exe
4460	fxssvc.exe
1472	elevation_service.exe
3332	elevation_service.exe
4624	maintenanceservice.exe
4992	msdtc.exe
2028	OSE.EXE
1796	PerceptionSimulationService.exe
1996	perfhost.exe
1316	locator.exe
1732	SensorDataService.exe
4332	snmptrap.exe
5096	spectrum.exe
3892	ssh-agent.exe
1876	TieringEngineService.exe
660	AgentService.exe
3900	vds.exe
4984	vssvc.exe
4548	wbengine.exe
3372	WmiApSrv.exe
3644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Shipment invoice.exe
File opened for modification	C:\Windows\System32\alg.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Shipment invoice.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d89765550d0d086.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Shipment invoice.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Shipment invoice.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Shipment invoice.exe
File opened for modification	C:\Windows\System32\vds.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\locator.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Shipment invoice.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Shipment invoice.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 1932	1908	Shipment invoice.exe	91
PID 1932 set thread context of 3820	1932	Shipment invoice.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Shipment invoice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Shipment invoice.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	Shipment invoice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Shipment invoice.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Shipment invoice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Shipment invoice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Shipment invoice.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Shipment invoice.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9b200d53871d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081458bd23871d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a0990d23871d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9bd08d43871d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8737ed33871d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004afce4d33871d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	69	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1908	Shipment invoice.exe
1908	Shipment invoice.exe
1908	Shipment invoice.exe
1908	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe
1932	Shipment invoice.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	Shipment invoice.exe
Token: SeTakeOwnershipPrivilege	1932	Shipment invoice.exe
Token: SeAuditPrivilege	4460	fxssvc.exe
Token: SeRestorePrivilege	1876	TieringEngineService.exe
Token: SeManageVolumePrivilege	1876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	660	AgentService.exe
Token: SeBackupPrivilege	4984	vssvc.exe
Token: SeRestorePrivilege	4984	vssvc.exe
Token: SeAuditPrivilege	4984	vssvc.exe
Token: SeBackupPrivilege	4548	wbengine.exe
Token: SeRestorePrivilege	4548	wbengine.exe
Token: SeSecurityPrivilege	4548	wbengine.exe
Token: 33	3644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeDebugPrivilege	1932	Shipment invoice.exe
Token: SeDebugPrivilege	1932	Shipment invoice.exe
Token: SeDebugPrivilege	1932	Shipment invoice.exe
Token: SeDebugPrivilege	1932	Shipment invoice.exe
Token: SeDebugPrivilege	1932	Shipment invoice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1932	Shipment invoice.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4228	1908	Shipment invoice.exe	89
PID 1908 wrote to memory of 4228	1908	Shipment invoice.exe	89
PID 1908 wrote to memory of 4228	1908	Shipment invoice.exe	89
PID 1908 wrote to memory of 4212	1908	Shipment invoice.exe	90
PID 1908 wrote to memory of 4212	1908	Shipment invoice.exe	90
PID 1908 wrote to memory of 4212	1908	Shipment invoice.exe	90
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1908 wrote to memory of 1932	1908	Shipment invoice.exe	91
PID 1932 wrote to memory of 3820	1932	Shipment invoice.exe	98
PID 1932 wrote to memory of 3820	1932	Shipment invoice.exe	98
PID 1932 wrote to memory of 3820	1932	Shipment invoice.exe	98
PID 1932 wrote to memory of 3820	1932	Shipment invoice.exe	98
PID 1932 wrote to memory of 3820	1932	Shipment invoice.exe	98
PID 3644 wrote to memory of 1964	3644	SearchIndexer.exe	119
PID 3644 wrote to memory of 1964	3644	SearchIndexer.exe	119
PID 3644 wrote to memory of 2660	3644	SearchIndexer.exe	120
PID 3644 wrote to memory of 2660	3644	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe"
  2⤵
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe"
  2⤵
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipment invoice.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4992

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4360

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1964
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f36bb4b5a7eadd49a2f43c1161ef8b98

SHA1
53ab0cf4fd2144f3c38a94e4cd088a1fdd30cc62

SHA256
7a8852b9d114206022aeab3ef7e4cf954d0f0057c3cbbd32bd93cfed4d4dd29d

SHA512
1ac857111bce108691a3af138d4f020d85b9f414e93db101e3cad08e0327095c6456c1bf80e7fa16aaeea6771d25ad9f8f3a8b1fd174850bd0a3c8f29f1a3211

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9f7616270ac84bab2c8dcd89b3e370df

SHA1
073a015183ccd9a817efae5cf997ec94acdf6695

SHA256
1260cd91d3e5b0a34c81d25d5d711e5030d4469c3afab38120c56bfecb220321

SHA512
e1dbbdc96ca6a71050e7ec2f5fe04fd91498e85be6a5e1964eee72c387d94897cce40ed8a74d627eb245cea36a2f9804a64e46aade85a7e17faf383db0f4ac8d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9f7616270ac84bab2c8dcd89b3e370df

SHA1
073a015183ccd9a817efae5cf997ec94acdf6695

SHA256
1260cd91d3e5b0a34c81d25d5d711e5030d4469c3afab38120c56bfecb220321

SHA512
e1dbbdc96ca6a71050e7ec2f5fe04fd91498e85be6a5e1964eee72c387d94897cce40ed8a74d627eb245cea36a2f9804a64e46aade85a7e17faf383db0f4ac8d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8f40e9bafce316f12fd1144eaa15f5d4

SHA1
23311604de27b2952b742203d6876a7184f15803

SHA256
c8173adc3c4a997a68f2a9573907a28ecd3961a1b6eabfcc6fc5a3f95235f837

SHA512
ea7b95f593fd9b9f39487f68ef8f02fd8daebbd4e85c522abb684416a81a2242b12da9d31015408a6299ff4a14a6b6463bb4f502a91a7c8c5a3d0335d2809bec

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
112d2cb3bc384ce84271d9537ac9972e

SHA1
9ffea91a94e74dc9fbb642fc70f969b54b4c2a87

SHA256
1eac783b4d782ed72a3f912c6d461993662d2f68ec4fb9bf732c5cb16fe9661d

SHA512
34823ab0dbd8a98edada9891ba560e32c5ad20da69d71fb8e7e04727cc31b0c2ea1114e4cf37ddf7766f1e7256103ae0ae90f7d54f00375d14793f6b24d7b8ce

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
cb63ca39f4c19be3cff06e4b55dbbfbd

SHA1
ec5c7debdda1f879f727d0982b7e1cec46864805

SHA256
b1863db2e776deb9712fd5026546d0b9efbbeae307e9469543694e859d9bfeb7

SHA512
2771b7671e3118c40f1637204c2ef3b3e756f2c712eedf53e38269f2ae5df47cc8bcc925b6bc4c9b0c48ec72e9f01d18f438ffaf5197d11f045d9c57a8483fd0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
13ce6eed0cabbd4aa8a9cd1abd70e5c2

SHA1
c0010566ec177ace8a1eda9caf1779443b7eedd6

SHA256
d8531d2f211f9d59661f8e750be900f8b348b37c6a2175cb80326a432b7a2c86

SHA512
4b280988e9cb37ae2afdb94fcfce03e2c096a3a43fa5a6b1e079ab74c4fd8c5e9cbd4c393c118859b1da7b960a1b832e0bee40f7758266ab5f55047a0962a855

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b401f20af462d00652e32b5a0aa1f419

SHA1
3137b9a3b9c47d835ee31e7e6942a623535a50a5

SHA256
ce3d465773524bb0fa736c35eb3c5efabc7c8c654252496ecc16e8954b507f2f

SHA512
9ab5b9c77d132fa4f159f9f0784037597c3e42c5f680f4041aa2bec081bdaa8138f989889786e327ca53f14025b76d660d16d9ee46091382f311ad894c0239d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.5MB

MD5
075ac2aa160cb3fe7e59f57c306ba910

SHA1
03453f1689da248c84903455d0ca48b4735a8b6b

SHA256
4a3c4e0b85126be1e1b15c5884f80e0b15c3828723762b7f0fb3357d2a1740f9

SHA512
a42e866a9b7520f83901efd9f9c7c400e10e57964d8bbfbb48d635ff653a1579d4e5a318cc8d8774089bbeb1c9a149ff1432d619f962c762bee4fcb5a6ecadc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9ac58cb9962c99ae6cb048728939a87f

SHA1
ffe599bba830a7d9bc4b13a79306beed47cabde5

SHA256
9e4dd65bc496c4e5ca52185c580abfba65d3995349cfa9633c8d72f97b3dd696

SHA512
fa79e0802c554d5a3c136a3032bf8aa96313b5c4c5f5d73ffc74a0a4c28a6c15182e868a672390988597b2d1d5889b81cfbd6f200409cac6e04db1e7b4b6a407

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2.6MB

MD5
eb7ab06c695557d542a139cbc7c261c7

SHA1
9cac4ef92fb0fe030edd1fcdd6416b8314bcb17c

SHA256
403e7fbcff32ce39d577e170071b6574df20e313ca2612a65f00bd8a486f6138

SHA512
b4a8ad82a48553026c7f15f55c2cf1651aab403a89f4a03ebe1c53b9d550cd5f068ec0c87a0dd18660a10a70dd6287852823bb476abfd5474bbbb80a2c0eae08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.6MB

MD5
becc8370408890182d743cbe66a7abe6

SHA1
de2647a5b8bfc5d108e1b6e2bdc3697352bc09d3

SHA256
b7c7527a22f14d907ce6de5ef4401c58b619bbbb2668face47b474919df376b5

SHA512
d60eec0f72a9c934c2edf64daf2f726c8cc009b15eae5847975862e3260055f8616f3b0da838bed2aef2bafe9d675037aea9c41dd1592bb70dbe7b7b481b40e3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
576KB

MD5
2dfd2edaa652b06f7054fba7c6d9744e

SHA1
b7c3c6001cefb7dca604824c72f128afd82bfa58

SHA256
684a6f97a4a38b49d30f14a10a87f556a48465bcf598b05dcdf13fe34079184c

SHA512
ddda8c3d6103777ddeefd9f30d109f9f382b0723db5c61d01ed4323c29809a853810b2a6ce140e82b9d7e5ed68463bc94ba41b51a2078d2d9a78612ad74a178a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1d077ab0cf33b5f529ffa81c42d62d01

SHA1
4b9222e030e7a9b549b09c8f314fbc265d4429cd

SHA256
87db3069563e9427101bd06b8d61ea3c990b45164283c673652884bdee0dac7d

SHA512
6f2e7712d954499eb8cf7174acb5afd53d1a3f32d7a8f22ee1f5acba039f27ec897027355154970075884c94509dee7665210e41c3230e3498dfc8d1754d752d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
86fed86a751d38599ca7686d79bc222f

SHA1
67fc3076882908a1f74777eff326ed79c2128594

SHA256
3fc34a243a7b84634451671464c73bd4d42bb86d27daaf672b0b99cd99fb6858

SHA512
0d38bf215ffce340a724becf06dc2d16fddf633b3af1fa86aa1433c9f136535a520b17e3c7f9bc955f424082e93d4bc73f299b16590e5849994d0c665ab3fdda

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d9f264ca00086bd21b3f3a353e30bacd

SHA1
5edc1cb072f1bfd902e79812f29387bbcef3aaac

SHA256
e8eedcdf66919e7d2bc11ca616ed37d4eb606c8ffe3f360da1094b1e6a7bf9cd

SHA512
05f4c124e4ac4c110368b9a8ee24eef86e92b708a276fde777fb4eb3a4812fca5ed04dae5c117ded97398d4925fdaf63ca75d910e19ed281510767911b8c294b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
384KB

MD5
40b38d3ec02c302fc0ccbf41845b1cb9

SHA1
b2102c256c44ad3b1d0a5710aba93ac8069de750

SHA256
e0ef1c2266f1c8248a73ea0ba56ea539dc16f64615b81b389c7ad7585d9c0384

SHA512
ec8a6319669f92cef88c49bb329d6d523bc84b803c8060acb80855b8b86df39e71f71e8683ea714766b4a14392af5b1dc1580c4b0dae53f83a45a52aaa5ae401

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
384KB

MD5
9f05a4de39359cc80f14fff6ec72954b

SHA1
c290ff7ae7d3f5479f0357081b57cf33ea44888f

SHA256
b8500e5abddf9ea5efd16b8d7f441fc519efc512e180c76be2a0d215b8954a91

SHA512
9ea79d578ac862429ad935cea8982b9f1dbad1171b32e3a2fecee324a391daebb552649abf48e4e385690b4896b17312b218bfdf712eeb3063f441a883b2564a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
384KB

MD5
c7dea9ffe54016da0df15eb2eacf7e37

SHA1
e49051b1dbdaaac290b0ecf381aa988e0a6ea724

SHA256
f6cc96d6d683aa00bea429a1ac1c729acc426979fc428514c0c9373a8b425c84

SHA512
440c03fac533bb2cf20d226627315a54eb92eeccb155fc036f94ec1c58afd5967350731a96c9fb164080528521387239affaef7e1d9cdac71a059904221eb057

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
384KB

MD5
57f27a4624e60f550816c2667abaf560

SHA1
1479dcd0d62435b90c5750b303c03038d9895396

SHA256
3a994010aaf031412fc208c5c2bd78deb77df3c7887db0cea131d1ce55a7b5be

SHA512
c60bc28245886ca87d59832aa0c44b01f53dcc98637cf1deabeb6987465ed0afa9b42736ca91dced777fa6a9f886904aa182984278e03b76ac3737188d3ebef2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
384KB

MD5
ee4db32522479e92e4b9d44f05e76eb8

SHA1
98626227b827b04e55da27723e19f48240b01d97

SHA256
ab6f57c368076143c16d6e8235545878c4127186a1244cd9bf934690f491038d

SHA512
5ed26fdf71bc39fcc84d0f5c23aca5c8c1fb92514e6458b95c051e56669d2d33d7c781a618b5a67c44cf29da9fcd52c41228eeb515efcb64447f64b1f572e05d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
384KB

MD5
30a83987fe3723bfc7df19811b041907

SHA1
f35999d4ad42503f53802589df64666dfd055441

SHA256
e51e1589fbeabb928b146f57c0db4299631c144afaf760bfc1428a88676accb9

SHA512
c7cb121c1bf3c66e863ef43a8916b3187c9cf4fa05ff472fc9f47d9d147d3e7b6bc22a3d2364b259e3244f072aaa080e3dc16524f1844dc7aff4b5b8038547f2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
448KB

MD5
165f42f064eb7e1a1b90b8acae1887b0

SHA1
b70ae57968c620ade6929ed843bed4f4f45fb323

SHA256
21e3aa2f0712488ba1483c10f9ab04c493dc9320c39fa1121d94ce6f290192b5

SHA512
aa8c9cac69bf99ddb49de6fdd6265e41884747a45bd3b6bf9f5dbd4c73c3066a443aa138d979a1e83b9ad4223abcd90a5552b1df9b9d473b16c72e0b94ccbdf7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
448KB

MD5
57fe9cf200ba887a176124ef3e0df486

SHA1
5cc3b69ce35681d06df03e130fabde157caaf2b8

SHA256
3ae5b424452b6b54e892ac667da323c9ead8b56a8375850a6c1600a2a8a65d28

SHA512
6f9e6633658ea9ab141a233e4a240752086de3d985d4492f70b16f20c74e38aba84fc7534bdc6dcdf10dc188fed84da332a072f6cf3904af9a6d0080c4de1b42

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
448KB

MD5
24c5c802a7fa34ca5429fa1fe8f4707f

SHA1
e5734c867815fc8f260fc511871387966ba6ac63

SHA256
268c9d878f9caf9781557ccebd2d1c7ae6421641c7181e008eed6eba85f1a7de

SHA512
8ce6896116f031768e15af94ae29690da04d11e9fe4f4863414499556955a31e156d84fd2b85863760e487d25c64b6bc71f2cdde9c379e5344d7e68e7e2f9c47

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
448KB

MD5
e2c54519bedc0616c69eb235a99d70b2

SHA1
7bb4c80e6dd935813af8b5103be35d6acbb0b427

SHA256
ac51d50d0fe34de9ce599e80ac26513f6a49e500875adde6045b113c2dc824e0

SHA512
3f5fa23b0eeef4473139eecb32f7d38336ca3efd6bc06826e423970637a383a9b56f4b2cddf7cd5b76924e1ce69930d5b2351f672eba4d7209046f44a34729bd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ddac79b4008cbcbf3c79948e24b3fc62

SHA1
266b59a36de83112565acb84d16030dc48db9db6

SHA256
455430be114f18c50bd050e35defa9c6ae698e7f672f580eba130cc4dfbeef8d

SHA512
0ab88267a34de331b88add6752673314bee0ee4d0344695bf808e0fcc9f60f9ebdadf11566bc65b32e40d6313416422d957e9544a3133e543966c7153ffda82c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
362e79d3774e04ef374d3df24cbd7317

SHA1
3b1edcffe2d3bc1f7a5f83f3f8eefece6e30f3c3

SHA256
9291afcd5290baf3a16ba592eaa8970c829dfae6a9f014ff1a8e6037e7879cf9

SHA512
88ac8b8e3d556339a8c4c8b2a7fa4835db5bfc3e4194c2b3dff177ce94b5a4bf0d50a37424539652d3a5bf091fd957dd289c7839021f499d269d5cab78a88371

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3ad674c58502b568fe85eb7d04238fe6

SHA1
3bbb2fb87cf46940352a2f7634518411105efdf3

SHA256
68e27d77309e7357a21d9d1ba65b167c4fb8f36d9a274f0d893c8cffefad4177

SHA512
d573812adc4074a97fa356085ab91d3da6d24f12b58f18b1e1905eaed3f35aff13e09baf4454b108a1e430af2aee7854ab870a5fd5ecc85823a98bab9f09daf1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cd1c8b0bdefffba6fd460fb452ef13ed

SHA1
c36af148b2076bb0eaf1389b0a47482777da138f

SHA256
de22ca9a6180eab8748d4674b4d9d359c1fac73fbae69cca42c7dc66715e38ea

SHA512
8555895b100d933b11c885b7889d6261de0a3bee45b59853a40e0b46ba1f18d2f4fdcbc2403497fac9cbfc83df38db3e10756a1dff9b1977593224829951a9f4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2db474bd18fc5adea0a935c643085d0c

SHA1
8e5d45323e68f5fd1aa22ad03495a31f086ce315

SHA256
969dceda7f4d696db179d598731013f28e37d107f58e6e30ec7f99588a36483e

SHA512
e0c2afb8e2a00f3ca795671ca38390a0728b87a5539c5647691def70ef4b4d3057cc04010e081ffdedb6e781240a7bffc127e81eb5825e94d51af11310932ea7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ae24959f7e59e16aeba6b9d8ba06a36a

SHA1
3f1845d832049c181efbed36b1a88c25df4c4e85

SHA256
a9a31db33cb9a1902f09cfdc5d85494faedfd420cabfa51f1f2d2ce466b24715

SHA512
2235b8a3dad4cd4161520303ab17ca25f36e6d9f058dd4fd797939883c7491ad78553b524fb61eeeccefa840313044dd6a6708cb8ea825b2b2af7e4e55916597

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
112205b2f4819d2510cd388243b8916b

SHA1
70814b4f765d6eba802b5b9951bedaf406a00688

SHA256
282bd8ef63b288f363637e42bee0bca90af8ff6094412463f6255ac6d1e5e5bc

SHA512
82f38e474988a0da642784c694af282ea0c17599319d2d3735345b0bd0fb3851672294ac36bb54308ae61036b37c2142c9b378c9ebe0d492ba9d4294d4b93cb1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
112205b2f4819d2510cd388243b8916b

SHA1
70814b4f765d6eba802b5b9951bedaf406a00688

SHA256
282bd8ef63b288f363637e42bee0bca90af8ff6094412463f6255ac6d1e5e5bc

SHA512
82f38e474988a0da642784c694af282ea0c17599319d2d3735345b0bd0fb3851672294ac36bb54308ae61036b37c2142c9b378c9ebe0d492ba9d4294d4b93cb1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1100871851109b71ca5a54e822273ec2

SHA1
9cc241248189395ad8f5887a56538409ec1a600e

SHA256
c9e904e99fb50677b33fd8e68d2cdc05a6115da30cdd476030945cbcad4f132f

SHA512
20bc44c8803a3b444ab5176bf168b403555bdc1030d1f83764d5e1bac6930a3a435e35057a1c16f4cbdd57e129ae0ff68bf2e68db7efe45c99a0f9571c45b8f6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7b503ac28c1c60383083defb5d4b81b4

SHA1
ca4f9a21d2837f3b940db6ef4101b81a513e1c60

SHA256
5b7a67f47d058defc5a04f9bd70cf39404bf39aed99cd75eb7377714670c31a1

SHA512
6ce0b7003e3b09fd2485172a8e2228aa66fe0b7ae0e7082fa6adb238db480fd5fa4ae1a6ed5c43c4c0dd66838ef2d085407ef6bd54098fc964d0e5a3a6f6fd85

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf9dbdbc763d085024dbebfd646436a8

SHA1
03221fc578084d5b7a55bc283ad0d4b81c9af848

SHA256
10fe671da5fbb704cbb4f3cef8459270f7e87d89283028254c2014df5e68ec70

SHA512
79d4d8991cb81aa576c14875c002e81bde86216a19145ac301db9070c2177a9ad486cf0ba29757aeedb7d25b61c4cbe5b6f76e8604d511c6b1b66fa7cf71131e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf9dbdbc763d085024dbebfd646436a8

SHA1
03221fc578084d5b7a55bc283ad0d4b81c9af848

SHA256
10fe671da5fbb704cbb4f3cef8459270f7e87d89283028254c2014df5e68ec70

SHA512
79d4d8991cb81aa576c14875c002e81bde86216a19145ac301db9070c2177a9ad486cf0ba29757aeedb7d25b61c4cbe5b6f76e8604d511c6b1b66fa7cf71131e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f3e3648f1fec6c4df6210be43ebc91f6

SHA1
863fb37101511d55066b3657897a25f8ab17b9f9

SHA256
f791359d109fa1632216a9afe639822b97703cc340e2655fef8e2d90e770cb16

SHA512
ad1a9788834f62c8b75eb1d7301ee050c7c87d423bfb193a97b6228aa1d51edee909e4906b3454b320ffb7dc2ca85bbce8268543a16e3bf4f92f6efc08e0d00a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0c008f3288f1913c0a7862e7ecc815b0

SHA1
e0b54cfd188460b8a3928af4d1cc2e3ea16e4b9a

SHA256
0c2d3cfccb2ee570abaa06adfa57d17afdffad940dba56db3e8c8a586b49ee10

SHA512
6ec10450987f15eceae54c3f737e5b729aae27ec7f27f10253d1e8ecc5342e0de523289b089d91961efda9a92c15dbc77dc33e12e42ad1a3ab9738971ddc0606

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c2078eebc2abf53e18aeb8242f4877fc

SHA1
52a728d0630d0d50d7d54f7550508611b66ab891

SHA256
d843bfdf513e86558ef18b770236f1d5558f7577c43c62045b3a020a3c017da9

SHA512
a2e71ef9f2be2e6035ce131af23df4de7565d0f9974b40ef6f69808e0aae571a164b9f28d2228d517031521b04c0ad9223cd89e5b17d7e7b6aa0fc9d199ebb69

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
703ab2cce89865dcfe9fd49e1e419d09

SHA1
aa827b2b1799c44bf34ec2e5797cda0e0be041cd

SHA256
f53f181e0151561761daa438b7f9c0f016d61ab0784204dfd367bae72bf09a9b

SHA512
cc45156ae545cb5cb27ebd3de2a5b2474690d880e67147981d98b64bfcb3e345ef8bf1951f3015a093e5a1c6695de848ff5ed8b7234664f5fa82bcb6a160cd45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b9f75409465f14543c04b02cf9ccb324

SHA1
0f7d76337dcec985edd8af065c43a3d150708d58

SHA256
034d79f3ea72801c06a890dedee30868a07b92cc3b444000d6045299c4712fc3

SHA512
49f8f87cc58bda3f51ba30b1a33bc30d7239c96fb3106f6fb0ed93cb96d959fb200ce2af55473c36c8c4263f22483498566b10a04768a77746d89b749c687239

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c884ba5e48858451e4aabb0406a49570

SHA1
929f7933238af76864f68dced7305ebd126367a4

SHA256
2ed6e6d7cc260a66975ccbb95b7ba13e66745b7748dcb02f694081464e6b6cce

SHA512
de91e0c37e9aa97bcdf24fbff9bb3775a9577afd78d7b99529ece359d859e4dcfa8c40a7e42926f6c92f4d34492bb855e02718c1edf63990f19fd9fc08113bf3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ce615aefe313479e753ceaa39b173cce

SHA1
e575ba427438cc0bbb08328ec7fb689d492ec77e

SHA256
77602bb3748208dff04ae4229be5bb08bf0737c1d729cda6cf040221e36887fa

SHA512
6d693125ff4c8981b5254a867bf29589352d7865ad62c2fa8d49096718f6acf62382627e441b82eec72c350f226a7666e319b94a710f8fc336a40af0241693d6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0fc18030470c91be811f6252a7ea3a99

SHA1
f7c42999a3a397bb8490b033fc08af3de035482c

SHA256
0283040873e0774ee194dd70293f1a6fa03dd9c8906e039121c72553551e3bcd

SHA512
a88ddd9b15f927c050e3845cdac30e5323178486c9feac6bda8d055748c978bc3598d6c02f334e0b3f124c554444df17e68e787c772a63d3e905df8c8dc6b3d9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a0705d7f55922f1a003edc4e144e0b42

SHA1
ba46f1aa1e8ea4fa1ecc07b1022197f552becff8

SHA256
70d1ccb41b700ed35e0cdda2ab369534175bb270bf7f5d8092a2b96a360144b9

SHA512
9a6a5f0ac85b866351fc30e4de285128e10d643c72aab7fe378bbe8e046ad15bf71876baba647afdd5a6cd4911d95ec936e82857e91fc4939ba2dab02d2426ca

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
3ad674c58502b568fe85eb7d04238fe6

SHA1
3bbb2fb87cf46940352a2f7634518411105efdf3

SHA256
68e27d77309e7357a21d9d1ba65b167c4fb8f36d9a274f0d893c8cffefad4177

SHA512
d573812adc4074a97fa356085ab91d3da6d24f12b58f18b1e1905eaed3f35aff13e09baf4454b108a1e430af2aee7854ab870a5fd5ecc85823a98bab9f09daf1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
df6c94370ff1d3df82876a05b463e978

SHA1
639509efc6d67156388607a9e754a6a6622ae6da

SHA256
e7ffafb8395583de0929f249041715a92eb661bccd20fe54d5b7a5f800cecf0a

SHA512
e1f055a855fe46c639581068231b38bb259e64d1248937d6ad88369f9fe231d569e64b5a073475af89edba9b40a96ed5a7055efdc613752f6650ab460421abf8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8f5e73444014972e8689f20871cfbddc

SHA1
07eb4ab8aaa1dad7212e951fdcef77af25285089

SHA256
277cc144003afa26f8d4b40ce60bd80e2799bd1b053704047126466ab6f6e619

SHA512
f9a96be01be4b7c98e43a6908081ca766c34862600905f59c3f03a8394f4f4d5d509c86d4f535955c08bc7d75db1018edb3f837d4013eb581ed5b136c75f8c04

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2db474bd18fc5adea0a935c643085d0c

SHA1
8e5d45323e68f5fd1aa22ad03495a31f086ce315

SHA256
969dceda7f4d696db179d598731013f28e37d107f58e6e30ec7f99588a36483e

SHA512
e0c2afb8e2a00f3ca795671ca38390a0728b87a5539c5647691def70ef4b4d3057cc04010e081ffdedb6e781240a7bffc127e81eb5825e94d51af11310932ea7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
300e86cea3446ddc9089d33c8c093d72

SHA1
a23becdb5fb9c0652f8f5b3fe81aa3164bea881b

SHA256
3df3c65be47875a8317dc00432332aebd21a90560bad7e0ab06b4d08671c29a8

SHA512
3ebc667f04078db3778dbb778032f9beb3d8445028bfd01fb2437627808c18548baf90c499eb42ff6346638a12a0734f4901d79120db7bcf85e3d887494a3875

Download Submit
C:\odt\office2016setup.exe

Filesize
2.8MB

MD5
c8a3404b417c0b344a9eba5212b76f61

SHA1
51c34a3e41010f23f0d809fe4a5e7925dbc14fc4

SHA256
470cd5b0000f1943fc59d5a570defba70e9d4cb136b551f5549b3beced02f3e6

SHA512
63ff1fd2b465bb39a3d485c1d8881875333dbc8645a10474cb0531884a9c6eecbf6c02e4ef912b97da88a9dd2af428469bb1466d2fed1f515e810d4d14d2d3c5

Download Submit
memory/660-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1316-284-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1316-579-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1472-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1472-508-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1472-192-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1472-198-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/1732-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1796-280-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1876-361-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1908-134-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/1908-139-0x0000000007280000-0x000000000731C000-memory.dmp

Filesize
624KB

Download
memory/1908-137-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1908-133-0x0000000000CE0000-0x0000000000E46000-memory.dmp

Filesize
1.4MB

Download
memory/1908-138-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1908-136-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/1908-135-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/1932-414-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1932-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1932-149-0x0000000000EF0000-0x0000000000F56000-memory.dmp

Filesize
408KB

Download
memory/1932-157-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1932-144-0x0000000000EF0000-0x0000000000F56000-memory.dmp

Filesize
408KB

Download
memory/1932-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1952-170-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1952-176-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1952-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1996-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2028-258-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2660-826-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-750-0x0000028899E20000-0x0000028899E30000-memory.dmp

Filesize
64KB

Download
memory/2660-829-0x0000028895B60000-0x0000028895B61000-memory.dmp

Filesize
4KB

Download
memory/2660-833-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-825-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-811-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-834-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-640-0x0000028895B50000-0x0000028895B60000-memory.dmp

Filesize
64KB

Download
memory/2660-641-0x0000028895B60000-0x0000028895B61000-memory.dmp

Filesize
4KB

Download
memory/2660-668-0x0000028898480000-0x0000028898490000-memory.dmp

Filesize
64KB

Download
memory/2660-669-0x0000028898480000-0x0000028898491000-memory.dmp

Filesize
68KB

Download
memory/2660-832-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-804-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-805-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-806-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-807-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-809-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/2660-810-0x0000028899E10000-0x0000028899E30000-memory.dmp

Filesize
128KB

Download
memory/3332-542-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3332-228-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3332-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3332-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3372-416-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3372-617-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3644-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3820-231-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3820-215-0x0000000000550000-0x00000000005B6000-memory.dmp

Filesize
408KB

Download
memory/3892-335-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3892-597-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3900-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3900-607-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3952-156-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3952-159-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3952-164-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3952-415-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4332-590-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4332-306-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4460-180-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4460-182-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4460-188-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4460-199-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4460-202-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-388-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4624-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4624-217-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/4624-223-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/4624-226-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/4984-608-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4984-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4992-234-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4992-257-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5096-596-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download