blustealer | bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpj_mcuumo.exe
Size

1.5MB
MD5

39810b7912907fc879004874df0e9e9e
SHA1

f2e51d5e9f644058a8ff4d64458e2914ddf2a364
SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
SHA512

abd49e8623428a399f665e2157522b6d285cb6c1f77c043eb22038df2ebbfbb21f3823c08dd781be5df043f1ab9b514990ab890bc80086cf33860aa6f4e75b5d
SSDEEP

24576:molqfbt8n/WmtqmZfq/ppZge1+qWMZukXfRtgyCrWw:sxgWm8m+Zj+qbZuq

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3864	alg.exe
4128	DiagnosticsHub.StandardCollector.Service.exe
2572	fxssvc.exe
4480	elevation_service.exe
452	elevation_service.exe
1040	maintenanceservice.exe
5104	msdtc.exe
216	OSE.EXE
3988	PerceptionSimulationService.exe
4424	perfhost.exe
4728	locator.exe
4312	SensorDataService.exe
2960	snmptrap.exe
5008	spectrum.exe
2120	ssh-agent.exe
4888	TieringEngineService.exe
4456	AgentService.exe
956	vds.exe
3032	vssvc.exe
4716	wbengine.exe
4264	WmiApSrv.exe
2936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\alg.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\593999f8c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpj_mcuumo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 408 set thread context of 1208	408	tmpj_mcuumo.exe	91
PID 1208 set thread context of 864	1208	tmpj_mcuumo.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{FFC11392-3607-4D9F-985B-7818929ABFBA}\chrome_installer.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	tmpj_mcuumo.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	tmpj_mcuumo.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpj_mcuumo.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bce83a551d79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd9986531d79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8fb2e551d79d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e5d6f551d79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf4cff541d79d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6fd69531d79d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe
1208	tmpj_mcuumo.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1208	tmpj_mcuumo.exe
Token: SeAuditPrivilege	2572	fxssvc.exe
Token: SeRestorePrivilege	4888	TieringEngineService.exe
Token: SeManageVolumePrivilege	4888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4456	AgentService.exe
Token: SeBackupPrivilege	3032	vssvc.exe
Token: SeRestorePrivilege	3032	vssvc.exe
Token: SeAuditPrivilege	3032	vssvc.exe
Token: SeBackupPrivilege	4716	wbengine.exe
Token: SeRestorePrivilege	4716	wbengine.exe
Token: SeSecurityPrivilege	4716	wbengine.exe
Token: 33	2936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2936	SearchIndexer.exe
Token: SeDebugPrivilege	1208	tmpj_mcuumo.exe
Token: SeDebugPrivilege	1208	tmpj_mcuumo.exe
Token: SeDebugPrivilege	1208	tmpj_mcuumo.exe
Token: SeDebugPrivilege	1208	tmpj_mcuumo.exe
Token: SeDebugPrivilege	1208	tmpj_mcuumo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	tmpj_mcuumo.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 408 wrote to memory of 1208	408	tmpj_mcuumo.exe	91
PID 1208 wrote to memory of 864	1208	tmpj_mcuumo.exe	97
PID 1208 wrote to memory of 864	1208	tmpj_mcuumo.exe	97
PID 1208 wrote to memory of 864	1208	tmpj_mcuumo.exe	97
PID 1208 wrote to memory of 864	1208	tmpj_mcuumo.exe	97
PID 1208 wrote to memory of 864	1208	tmpj_mcuumo.exe	97
PID 2936 wrote to memory of 4732	2936	SearchIndexer.exe	119
PID 2936 wrote to memory of 4732	2936	SearchIndexer.exe	119
PID 2936 wrote to memory of 1668	2936	SearchIndexer.exe	120
PID 2936 wrote to memory of 1668	2936	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2188

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4312

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3ede665c088ae4ac24347b126127f77d

SHA1
44fe3eeeea7cfdbbac26140155fa9c0f124facfb

SHA256
61d1809d1d1d5fdddc14e5f479bde9828890ed8e239f28968379433745ec410d

SHA512
173853e4883b19771385dbc5b44a1ce1dee3232b502080e66025f7cf447372f36104171871ee89a6bac36308b53f95b1936ad95fbae12a405de1a55ce57210fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5e3802e57b6b58f2c004375887fe9e3b

SHA1
1dc6963de219d31f62730c141dc7c0e6151de0cd

SHA256
b9e42dab7cfa4180d4fba7522b77fdac375cede2885ff78a07311a155c19d0f9

SHA512
54d1e8ead5c7a631be9102fc00baaeec65373a4f63dfe7bb287dccd7c4c782759cbd3c3b410806abbd753f1d31ecbf6b6abfdf7375d9b7314ce103c115b1ecc6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5e3802e57b6b58f2c004375887fe9e3b

SHA1
1dc6963de219d31f62730c141dc7c0e6151de0cd

SHA256
b9e42dab7cfa4180d4fba7522b77fdac375cede2885ff78a07311a155c19d0f9

SHA512
54d1e8ead5c7a631be9102fc00baaeec65373a4f63dfe7bb287dccd7c4c782759cbd3c3b410806abbd753f1d31ecbf6b6abfdf7375d9b7314ce103c115b1ecc6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ea23b234ba0f69d69cde20a000d21f19

SHA1
0b0c2886583935fde554515e54a9be50fe6a95c5

SHA256
2e86feb7a2d90cbd9907bd2b2c9409004803385a4a31905f46eabbb2e74417ab

SHA512
b91722894f6bfd9835397ba4180cd80c025b3e2a7939fd87a5cc69fa51c021e9e34049516b84defc8c524f3e2ae5534ac06b7626584f1f59dcc8d8759a076710

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
614512a5f873f5397d0c4e47dbca583c

SHA1
18fb82a153ceba1d18d7b56ce37976cb61edf84e

SHA256
f7278ea605b7d0703bddf3039e26608a387ba15b71e0c1dd96565b67ec5fee1d

SHA512
763507c335c70633ebefc29a052d382d253fd0500aa53005ea116aa9aae137bc4382d2927f4c41a161047e96228634a3a5f61ef4c8934b7ca525b4cf93c414f0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
0266bbf669202a68c69f76941767976d

SHA1
749f39745d92262f2cfc21f68641c7f1acc60e65

SHA256
647c294f32b44b89dba1f9e401be172dce164380c78d6cf0892f8253db5354c1

SHA512
2ea34251d686cb89b53957f4e5dfddd29a253a9b0bfd307ba2713cc39df31529d2efc23c121ece6fdfd782b1f40625ed6019f10e234e0c7c32d1467c622e9db4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b293792a41c3dc236e6a2cc5701ac60c

SHA1
50ecfffa83796e830a586a207c610d5a02948a48

SHA256
969f3896692477fdf1e424cdf37094b7c8719fa1aecc8f1941f07bfad0707d5b

SHA512
dbdd95d512686eb7218471aee5a6f7e924a7e98d42d4c9a9fabad5b292ef04f28c1155cc9fcf0306754aab57338af40eaffb7caa3fcbc07d4a6539a74b5cac65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
200a3973ac543eb73691b333e920a304

SHA1
68dcf17809cd696362784b272b0086d6c75bafc7

SHA256
02115786575efc0f41b51b7e6858c2b4017220bca450609cbb960186e1ecb2ab

SHA512
77b50c418ca0ac92f635f44302cb070cb4afbe6190f7e23ef90fb5329fd5316486cea046d248627d9a93e28c17d47da7eceaadfd20dc2dc90d5b1e60a625c418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.9MB

MD5
fb2b480d2ce9d996bc1ed84419ab2778

SHA1
3b3d2fa42f766166d3d976c85585b9d2e599ef9e

SHA256
44b18dca9766860bb2cc9a706356696e006ec45ca397ddef2285dd28658b0de5

SHA512
2ef30a32b61e5bd87ea3b0c91e658943566fc5d1aff50bb7e41ec442cf22be00ec13799219cfa985666783b46bc89ba24abaa590fed99dd02cdb4480613ad929

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
1cdad4545008ea7881e90208d1d6728e

SHA1
eb2bd6849b06ad693429fd8cdd02e3cf42ef4bc7

SHA256
7be2ce5dfa3b049cfcf169d33d2a00307752472a496346016d0288021136cb3e

SHA512
507abafb9fd018bdac7971941710283ef1136f7f62779ce9a6b1449fe5ab816695f01e082cbe04ea889b8a37a5248ea97bacd302ce93206c0c09faa847d9ae1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
1815816141dc766ef8c0739a91dd0d4f

SHA1
654a39c4d82a341c26eb14f748b34cb6f53179f0

SHA256
15c979708d1bf194b70714ad626b9deb5c8672b68ad7a0299f0386bd6bd8601b

SHA512
4ac73294223465aca37d854bb8042cb811ec7e8c49d3377db194bcee4ab024b18cac5a4441bede04574fa9a43067e8548f87b72ca0b9a8712ba78f8d43fb60ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
465c9f4880ef1e718066ef2bdc8535cb

SHA1
6e88a9ff2f0b81e415dad2055e89b9bc155e36e4

SHA256
8a0e7d2df31f00829d53213c017772b2f700ea7e71d1fe5a74da0acc017f5cc7

SHA512
087d81dc62716f7c1222bcbc94d61210688d09de3da035f34244692d7f9a4a3ab1c4c53afc21a0b8954a208747175254e60150c47c8dc4270da1501463417bca

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
79353f865b59744aecb1e6bdf438f2c6

SHA1
0719fd58e19bcdf50eb2bd723d07be8b5cb82701

SHA256
7230654075ad0fe970360e9c6214fb40741c1d1b989f7dfb6198404236757f32

SHA512
406e236de12e023d4799a8378d3acd83022442b55dad271ed125e6faa148480255a890000bf5b72ea255ef42c39cb4eb0a9a7187e7c91ae91f5f2e543a55a6f0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cebc35e679016eae5d268ec204754858

SHA1
9ea2de64aabd34034b52ee651286bb6da2cb1aa2

SHA256
54f2fc1ea7e029482cbce5065144aabe7502a71e5c6aa3d6f232fe98c1f0b3f1

SHA512
0d9e8b0265589eb62668f0ebe03de1ae02aa8737f15f7d2226f64c659622a1245c2417d7c194f4c5e3d182fe26db7e27b4b9ff8c41e5f97c358ebcaa5b889b51

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
960KB

MD5
2eb20d934af9ec7b6ecd2550fbc52ffd

SHA1
a7bb21764d58df260450d2f69766c80f6a281bde

SHA256
c7a238c9a555c2a4c5df586e86be2d71cb3d05092000dde3fdb2800f5f0e8ac8

SHA512
2a7c2a81b535473eb59fdca890ad28caf4b050ca8b80ba1365ffb517bde6c71a3d8415a733de6498d84c3da03310dd9f80d96fb98c5921c56f52ccb1a28f393a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
960KB

MD5
7d373183394b89b6071438cb4dd8e202

SHA1
a972cd4b5c40ef7cd2ef56a1c278ec349cbd85d6

SHA256
18b83d206355e4d21ff64ec22c49e92d09e9b605fc736a2effc3af08ed793dca

SHA512
3481ab9237e928c5aeda626fa148f69d8548989aaa3db17f081608e911917b5758c5d3447ce5f5964d4058d62c87da1fb65109465199e8d0adfc08dca7056cad

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
960KB

MD5
bac8542a3594c50d6261542376304c22

SHA1
64c62b08e611b4471feba887fda83616e0dc7d5d

SHA256
20229fc63ec152773bdfe317ee004098850cb4fa3dfc19e549c04a7be76df5ca

SHA512
bedd7992cf0070a44c5533b08a3f3618ca1d77fa132db21b62961bfdc0d32b8e57cdf3a6f22daf5549c7928d7111ae148c3fd8fa22dfb51ec0ea8251bcc0f035

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
960KB

MD5
a163c85eef9878bf291c37e8ec611556

SHA1
19de9462283fb9b013d78e7f84a87b0dbaf24118

SHA256
a76594db0f9daffec41ef7a74eb04953387a5f329d3f39c2ebc6c98863a0b64d

SHA512
f720e64bfc1c5d7f4757a9d6226318222dcca8a08d156ba10b08bb0dca6a9f8514ba4e4e2b48ebe579ba62dfa23eb9a4cf8a088108800dffea0d9dd008f35890

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
960KB

MD5
b22c75b4be8edc7c3e2a4b1f0522dbdc

SHA1
c3fe1e6ed7772528d497e03ee767b1c7328c8161

SHA256
a0b0a923d69da7c3c9afe58f2fd7e900d7582227eeebca1de461900221e1ec2a

SHA512
7efc0f467ef7fb550d86f3f463ef9ca66de19274bb0db0572f0dd7e38f271dd038fe5e0f471a8496ac2abd2fdf023c569bc7e3d0d94af270d7e8b2ac489a7ff1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
960KB

MD5
e95b554b01c0913490ba18587c37cd52

SHA1
c228542f4f0c05c73b2dd1de86c614a38b40276e

SHA256
d42509e7617068244bb2bb8608354fc1dd09c06bfdadb7f4b011841722e49ee2

SHA512
334ef51eaa5b03aa41e4a6f9714523fbc5583518bc12e3254ad09cf3e2e71e6969458e8f6647f67a7df062900194a10dfb918d74536622e8216b2810a0923f59

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
960KB

MD5
67a6f64b25b947675b49e0c4924b4c19

SHA1
df8d5fae55643fa4cb95cc38bcc5458ad3218ad2

SHA256
0dd22b9ebc8daedc5358b86511d201217a523462f34bfbf86db8fb325ccce986

SHA512
b296f0eb50af86bba8df2c6c66ee69adef9206b4abbc63cd7c956187b31ab5923433cc134d9822d44cb03add9596643ad3eaccfb8ad490bf9f46377e9e4652ea

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
960KB

MD5
01aa742fd92367ff403fe115b078e79c

SHA1
bca9d2a4f8df9b0d0a4c0e7fd43c97856d550f6d

SHA256
fb127e93128a3de5607852ac36fb3db954b804fc4aef28dc6a5f0c803a086b32

SHA512
7242a20a02fbaa62d5aeac1b0fd55a6643fd90b62d99bb7e6dab08b08153d90a1e533317df9ca3ea9708d05c2a04a2d7852a754d247987517ac8f21be64a48ec

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1024KB

MD5
6110d6099bf50b59b2bc291e50556271

SHA1
bbcf63a78c47952292c3ca9661f2faf123c0cd7e

SHA256
197e1f22e8c1eb25f422b13a6e393635d0933b96136f7c3ab0384f7086c0a108

SHA512
e8218440f131556bed7c3b64522f54c396e6a3d076c6f954549b689cdc4ae0b8591fc057ffd4414fd583d61011587702856725e3b1bfeb6c3297b62ddd982b50

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
960KB

MD5
0304636aad6dfc54cc29e4de60edcbf0

SHA1
15e74429a887ccc3500105aeba21dd16c7ca5c94

SHA256
2db13d6d9c8cac38e2ffefabf8238def80be20715d0badc92fa8534e635fe48b

SHA512
9493acbcece9e4f11e5ed60e80811afc233290e0686391d13235008d44c743cc16c51d2e861efd22adddc4a93084c62d211fcf403fe76dbc131cbae546c194ed

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
960KB

MD5
217ae86554906014426acad719bd4b91

SHA1
d5992875f4fbe49467b1b0df0de316cd0f2017c4

SHA256
a878063def76db715181b3a83848123624990ed5f6e9f5505ed798b8fbc80cf8

SHA512
55564d3142afd425c7b3e6981867110faf68c27b707e24d4437e27ec3bb90348d3488c6e9e5290e235b49a7b2250212d63a822e7d6dafb5e95bdaa68c5e9a7c5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
960KB

MD5
adfc8df9b178b18a676689bf11dcbecf

SHA1
c3e0408666d5b7a9d8e83b448b98cfbfa006c0d9

SHA256
20540b57e92c993a12f6fd3e42930a89fc07855cf91ed44747a69a6b49113174

SHA512
3796224eea4db328300d6db5da08e600ad01ef9e2ed1ad17629f8d0ed45c7803b1789679309d0a46ebbd7e2759a1041e6aad45fbbc5c94e1b4d9c054342245f5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
927KB

MD5
e09951022923726e74a1e810a7431260

SHA1
b77f5ca9573a33414292d3270237b6202d5b4012

SHA256
9e9eea2c2bbbdd268ed385e2c5e803588bbef3ec625e7749aad2a8a7dec2922e

SHA512
32d767117c07c54d8d54495c7979defda2b207c4758a948c1fe329b2c8c74dc0eac0eba04290a71bf79fdd8d987badcd3133597decac25e36cd83ce3c0e5a13b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
896KB

MD5
34b35c2a14e2aacf0fed56c0bdb43714

SHA1
830672be8befd23c785150b7f4b03030005d9828

SHA256
0c29cb0d184c68c9a230025e86ff94ffa5c709650cc41d408c8f08b7df8dfc6e

SHA512
846f48400cdc985b08653e9aebed75ebb96df95af1e71216c19c33a8eebd999d72dd3704cad78095aa931e57e7624cbf30a1dc8c0fed8d9d1d9e74afe83a5f2e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
896KB

MD5
db0c154aebc7531577478a4dcf449dc0

SHA1
34054da0fa7c95ead6f9cd78b3cfb13e3c3edae4

SHA256
19276f5b8b404e4bf3294cf7094c01bb103b99e193bcd295c6655c6bb29bbfc6

SHA512
69fbf008afb9252503807a3bf36c5ff72002108332e59d1e924bace1970d9f4ccfbd1af1eff2c7c1b14620e5e3573ad7c607db9bb0179e63c66639174c66755a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
896KB

MD5
e8dd3f7d1fe142dee6f724efbd755881

SHA1
b87acb01387dc92eae45b74d0d095e7f70f4372d

SHA256
2ed216155780096642c76c4992a47df1c1afb331f9dea25b829c9a3208685168

SHA512
598f60d504760a83b3b67c3a38c79a224b014dec64f1f40faebef1271433e30f7348e1374e23cf5b888471150f7a3b8dd7588a198b46fa9ad04dcb9be168d60f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
896KB

MD5
06a8a21a113741ee8469222484f7f315

SHA1
86951f6853d3423efc1b5b884e830410e1ec4b2f

SHA256
0de882dae54b4e023e5311860c8551aeee867ef0c66422be669ddaadcfab4ee7

SHA512
c649ca57a70fe51a6c671e0a548c93e9bb634cf16b2fe39bf82c88e4bb8578f77d08204619a4bec9c26fa8ac03d1f0d3357a13459d60d2aff649c14833045061

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
896KB

MD5
b10c46dbeef05f160242549d1e6d1927

SHA1
c74fae1e84cf810a80be6a0a1babbdd297efcac8

SHA256
fae6c9cbb65a02b9887400fa36a930af78c63533e95edcdb88f502d1765247f8

SHA512
67de071c8c7ab58fea42830fcee73db378be550622897af48b624ac6b65592c5458b9fcb8ea8c6eb07fd6f957523419a0aead3c7562b79dd772f0ea8ecea184a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d87958a182b8ff6e197ee0c1b45fb73d

SHA1
80cabb44b0986b72222f58a03fddac4a49d38942

SHA256
27a507913ec48b9d77cf002f006b10381cb3eb0e9241e8d0a8dfbfd5f623b091

SHA512
9b554792e20bc5e714988077aee2ee3f69abdebe1d23b2feced5556b683a68e06449fb2f694ec86a574e8b7e11153dafeed0a6a492ac19639a82cc67242b551a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7659b3f877e1a32651b00040d88ae4d7

SHA1
83dcd599803dae86859ded7f26a5bc0ba5a3b29e

SHA256
e30efa047b618974bda30a2326f6a0f4cdcf6521c99410faa85275a81c1ab2b9

SHA512
8ab1177d5186b186a4c21c7d06c5bdc560008c303e1275d507f69960c94f9cf78fdad52d6c0a2edc96b8a027c81636b0af5b1fac550c52f9a24e8df4cf20f33e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aba724265d7424a501c975be2956acc9

SHA1
12f080c2de25fd68076f700c1686a346d0bc8d03

SHA256
c9ab0d4f528e247cb1a8a7c952ae15e80982a1c5451f1f778f3def4ca3bfd709

SHA512
762a77fe1c2206b73e74aad09cd40d8dd19575356e4e61d88a47561aa07523a07ef0d847200b9dcac2b632df06c6d033387dfa640123591713dcecad900c0e2a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c417c709ee70b78c9e3a3d49b6fa53fd

SHA1
fd8b5f00700cb22ca59c7cb34d89088752ab5766

SHA256
b20b4c3e20b70f545c0360d83aba38a11c142c45bd697ea3cec5231ce39b3486

SHA512
5c065a74dc06f1da49483b5ce009953afdef722787fd1e0387b2b472539461bc8579e74db700c23a1bdb034920854d16557490d152f532bfdb817323c389daea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
157963d97d34ba01d7e25c96735e92e8

SHA1
1ee7faad5b215d587ac5e79b8280a229dd3f9004

SHA256
244b3ad8f284eec8e74f812ca8b9ba43d8cf31fd4077eae4af6c57092ad4db03

SHA512
3f4e8d558cdffaa595b30726b260a4a26f8806f11a17dec961da40dcb1a47f78a9a50122bad58683000ed76169702b597a0b20f51cb8c52bbeacd1a4a50807f4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e323b32ef4850421f0289a1c1525cc29

SHA1
70d9db7cbb8e26cac35904ea4533c4ef5abadb17

SHA256
4a3e25d729c58053de7cd977e76fd7784a27be9caad3b1e5d801f1daee493786

SHA512
8f0eea40c01289cc28493ad3a46702ce4aaf72854d5210b43613178761e95a9876a99f45b8157457539c27466e70bae762e4b07213f927ad7cab9d6a85355176

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
9b2ddb3de0dbf523d3dc22d35a506bd9

SHA1
1a221328df90dfa7ae5c23b9c95e8bd499886212

SHA256
e421f24d32e23ec33984abfb654374a04613dc0f949a207e2268325bc9814cac

SHA512
3039d6c311372bdf48e11da4443df7463132bad52e8990e6e4512ebf58b029289c3c95b496507c3085e37b825a4005268e8b359c92df0909a7a824a53db1f798

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
9b2ddb3de0dbf523d3dc22d35a506bd9

SHA1
1a221328df90dfa7ae5c23b9c95e8bd499886212

SHA256
e421f24d32e23ec33984abfb654374a04613dc0f949a207e2268325bc9814cac

SHA512
3039d6c311372bdf48e11da4443df7463132bad52e8990e6e4512ebf58b029289c3c95b496507c3085e37b825a4005268e8b359c92df0909a7a824a53db1f798

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
334e7825b5725d490ac0de94256e35c3

SHA1
79eac24e03a625042ae2692d45f5971b9b220c99

SHA256
72f85a4054e9d36ab8936fb1ca3dd842a16b9191c781b21a7e7c35a446931d07

SHA512
25ca2bc54c0a015e511ab0688f42d665652e3a177f55683cc6b4de233d3d92ed395355bc1a38bf161c5bf65ef1bb4f78c2f529e2bc3531c5991b9e5e723e732d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c33abc957a84e259df436af72adc4cd9

SHA1
03a6fb90941be0f00307f52299a339c2ed9863e4

SHA256
2ac36badae5c605ade37f78335e12b634a3d7dbcdfc24304bbac735b8458e5c0

SHA512
abe65310641c3139f86b72819b16a2ad439e43f09a4c44aa401564ed6efba9dcf47c3d69f79837058cffdde6a787963a45b3f0146f0775d3a01bbbd442603223

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c6b37102605aa4187db98ec5f033de6

SHA1
2ff63fbff1e11ce9c890427352d41eefb9f8dbe9

SHA256
5fb86363ad1006f33e338c5f79d5afcbc5aa063d726b063672197d2a61eda287

SHA512
f697c05aea5c71bb6b7838ff398fcabaf5999b782b30d40c350e04be665b9f013deae82c0ed053bd3edc8e10a649bf96963a33e5dc2c8a04f1cf8725021d1083

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c6b37102605aa4187db98ec5f033de6

SHA1
2ff63fbff1e11ce9c890427352d41eefb9f8dbe9

SHA256
5fb86363ad1006f33e338c5f79d5afcbc5aa063d726b063672197d2a61eda287

SHA512
f697c05aea5c71bb6b7838ff398fcabaf5999b782b30d40c350e04be665b9f013deae82c0ed053bd3edc8e10a649bf96963a33e5dc2c8a04f1cf8725021d1083

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1acbffc8f5c21648ff4fca795003aace

SHA1
487bdb52d22395b990c44a74778ef4f3eff44d49

SHA256
ce724a0254cb2c1a8e24499e02b3bfaefe6d56ae7781292efd9f6f82eb4a0378

SHA512
4e0a1e3977c21d9da64ef8932b0672a8f67cec28ffb7dab0b0fe9bbfd0cbad822188f6fa755774b1d16c64bef932df8ebb2627878aea651a6fc7b002122fc991

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9ee8785708f72fbb4e5cd0d82f0f0493

SHA1
ae69c1f179862993c51e782a312963672e6c67a9

SHA256
6ba634a35626fc61b469dabc37a623fafc9833f1ae283c5a388f0898dc14ea72

SHA512
f549ffaae2d82bcc9b6725b6cab6232d5befba50b4164441bb825a8cfe56ac507c8dbd21e29d10bcd295526e44dd5bf697ac0a48f48a585e872d793111df2829

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
893ba674ef83b1809691e1043453b50f

SHA1
017a3cb2f6bc6b6d83b42ae646c0d59756098ec4

SHA256
46098d52b5b316a4f9d7b820a0407e442a64e7a122c5418d0c151abd708f98fd

SHA512
9951b6ae34b6a4029e01e4d45d85aae8f8fadf7f932caf2c79f81f0c10c34a5d7d0eb2415bb08cf56475af354b448aefb6fe36252e8da148acb4b3a53496112a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a89c061bf8792fe7e69877e04231d78a

SHA1
15d43a1bba454d3d07df7684425feacf4834247a

SHA256
9fbaf496c7dba350325a5fbcc06de7fecd06ff182de5346fbd957d2bd8accbf2

SHA512
2947d2f2c97c7f557e10df65ce26f9b3d69f581cbe256a8a8a6080d2a81924941e21f149da1c69cffc443e1642e9381463f5792276b6c1d95b3e482caf0b2afe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e89fafe59236fad396b50071f12d8fbb

SHA1
25bee6f1f3ff74846a2caf90c8eaf043cf2a002c

SHA256
a320511f8ed8bbdcbfb4178945126053cbedd83435c875ede9c87e6b0ac0fdf1

SHA512
ed5a4ee22d0f6ff623d2c1771eb160e0c54d2cc66901718d07a9668740c5295bb53daf97fdadcd3679fdec2d917e49f9c1ba15ecdaf98925115c425119c7b65f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
725155c54d11e0b082415bb5858ca8b3

SHA1
d26b160e37b4a9d09e62dd567563ad67402cc821

SHA256
f769620b9e7e921fe88c1c4697954ae6d69f927034fedde354cce3b9724b1699

SHA512
e821203fb4ae604837d3e3bdef60b69d66b469e30d227017e170542739909dcb2a4d0ab5c0c0abab93d98aab9784ff941693629305e15cdf391665edb58ee3de

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5bcc4ce12a9244af90c0405a122b3672

SHA1
f93c5e30be9ee41f31ea36f623f794f47a7bb532

SHA256
01a76b89ea6b62ad0399da6582ee9d5b0bcfe44211551f9177fcdc5e12eae5dc

SHA512
5db283823a74aaf83f04f7b605bcec664a4192df624c8de9d9bb6b0fbfaef0edbb33874536a1a765e027ae7bf00b967d66953d19f3a334a6a8351fdfa50b23d7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
445099cba53f2f16ec38b618e08f6d8d

SHA1
62e2a4ec98398ed621fea8428c133855db9ad00d

SHA256
e0b54cf46bb796538feb49b7d935ab800c6de9050a159172347d266ba93a6da3

SHA512
870791686b895c3b6145a95bde317bacf4b59b1cd80573f56f9f301816330236fdd17bfc49ed475e070e442cecb824473372db1b78d38e76a1513dcc881b8888

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
65c444ed15f2ebd6295e862c39b1839f

SHA1
730d43f5b4eb48ec4e637c72e9cc280913735bc3

SHA256
e744277e0146509a96d41f44036efddfead7e986e96746f9c49f3e1bec65c908

SHA512
fbcb7da0b73d70282d20a9ff350e004e6e032c45bdcfefc69709bfacb8d78c2e66f716c6840bebc62adcd602bb75ddbf5a9579f14379f8c1676d4b491b7803aa

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
aba724265d7424a501c975be2956acc9

SHA1
12f080c2de25fd68076f700c1686a346d0bc8d03

SHA256
c9ab0d4f528e247cb1a8a7c952ae15e80982a1c5451f1f778f3def4ca3bfd709

SHA512
762a77fe1c2206b73e74aad09cd40d8dd19575356e4e61d88a47561aa07523a07ef0d847200b9dcac2b632df06c6d033387dfa640123591713dcecad900c0e2a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fba504700d87820d97f9efe2fe84702f

SHA1
7bcd34ac6fda9ed2555b09bb7ab4b82ffc38be3b

SHA256
c83635d360c1c65f9d1da16c753d1b7af290015c8f71cfc5ea709ed56a4c8f6e

SHA512
4f8403f8cd154a799dfd960e888f6f45a6a3a1e6705d47419c698130dcf5faf8b0367d29d37b48d6e1119222de222ea78b81265894a70708adb9eeb5a3cb8823

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2f6f4d8765cd123dc0ce79829abed6a9

SHA1
52f8e1554cdabacccfd2da93860d2d9b0c8d6b82

SHA256
f9f2e18db74e1ab78bf81ac83dbfad54d4abb94bb0d6b8d52b656f3f9a6417fd

SHA512
eab98e98d90ebf51f7ee141e4088a77e013bb60b8305da441ec8434755108e22d53e18d83f5c0f367fe6c26693454dc105fde7fa5556147f5f717a442e636367

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
157963d97d34ba01d7e25c96735e92e8

SHA1
1ee7faad5b215d587ac5e79b8280a229dd3f9004

SHA256
244b3ad8f284eec8e74f812ca8b9ba43d8cf31fd4077eae4af6c57092ad4db03

SHA512
3f4e8d558cdffaa595b30726b260a4a26f8806f11a17dec961da40dcb1a47f78a9a50122bad58683000ed76169702b597a0b20f51cb8c52bbeacd1a4a50807f4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
eb41c1c49490b3c0b4ab60a29d7623a0

SHA1
5f62c4faa58df5bb1630032f7efa2945f11a886e

SHA256
2ea5aa557a4bd975e79453a7d289e0486ca3b3196185407eb9f001d6ae6907fb

SHA512
825241ca548ec795c058f87f8ee037f7037d12d5e1603df7a309140f2e0fd33edf2a4704aa26d13081da9a98905d48e3be069d47143da254f240c0efbf8b6112

Download Submit
C:\odt\office2016setup.exe

Filesize
3.1MB

MD5
5c0a665d1ee90357b6108abc8eff2f54

SHA1
189625531594678f3e65c3f8f338cc7dada37b27

SHA256
6ebb45b8271a7e18c26837931b54bce6bd8ffabc8bbc5599d53ef134ad0501c3

SHA512
905b987113305a548e7b5bc9a958a8144213d0c0d1716f184020085fbc8b8531ea355473a873e8841591ef5c3ee2aa4cda7d239a0415743318ceb8aa5224f7d5

Download Submit
memory/216-273-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/408-138-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/408-137-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/408-139-0x0000000007B20000-0x0000000007BBC000-memory.dmp

Filesize
624KB

Download
memory/408-136-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/408-133-0x0000000000F30000-0x00000000010AC000-memory.dmp

Filesize
1.5MB

Download
memory/408-134-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/408-135-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/452-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/452-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/452-541-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/864-203-0x0000000000B50000-0x0000000000BB6000-memory.dmp

Filesize
408KB

Download
memory/956-372-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1040-228-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1040-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1040-217-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1040-223-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1040-224-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1208-144-0x0000000002DA0000-0x0000000002E06000-memory.dmp

Filesize
408KB

Download
memory/1208-155-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1208-404-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1208-149-0x0000000002DA0000-0x0000000002E06000-memory.dmp

Filesize
408KB

Download
memory/1208-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1208-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1668-684-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-773-0x000001A998730000-0x000001A998731000-memory.dmp

Filesize
4KB

Download
memory/1668-663-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-664-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-665-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-666-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-683-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-661-0x000001A998730000-0x000001A998731000-memory.dmp

Filesize
4KB

Download
memory/1668-685-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-704-0x000001A99D330000-0x000001A99D340000-memory.dmp

Filesize
64KB

Download
memory/1668-769-0x000001A99D320000-0x000001A99D351000-memory.dmp

Filesize
196KB

Download
memory/1668-662-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-774-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-775-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-776-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-777-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-778-0x000001A99B050000-0x000001A99B150000-memory.dmp

Filesize
1024KB

Download
memory/1668-779-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-780-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-781-0x000001A99BE20000-0x000001A99BE3A000-memory.dmp

Filesize
104KB

Download
memory/1668-631-0x000001A998720000-0x000001A998730000-memory.dmp

Filesize
64KB

Download
memory/2120-345-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2572-193-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2572-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2572-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2572-197-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2936-412-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-321-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3032-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3032-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-157-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3864-163-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3864-178-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3988-275-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4128-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4128-175-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4128-169-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4264-410-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4264-619-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4312-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4312-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-576-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4424-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4456-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-201-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4480-501-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4480-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4480-191-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4716-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4728-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4888-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5008-593-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-242-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5104-233-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download