blustealer | 18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.5MB
MD5

581f51fd35e943a69a4c569fa8654736
SHA1

610e7579a996ea788ccb688a9dda9d4855a40a2d
SHA256

18d8044858441edcc126e76dab8c868a23acabb9abf7bab966e4c3eb24f44043
SHA512

8bb8ce0f096c5a08e2457c7039f0169ae312f850e8189e240176e7a4ccf4ba113efe9f3a19e4e282ff66b60e48b0e07127270da804e0192f5ef091f7ea9e03db
SSDEEP

24576:Xbj8B+M73OglQfGmzu7SulbydbwcLxTDkU9tMMkB5lO2dMqtX1uP:XX++tglKKPwbwcLh4otmB7ldMg1C

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1984	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4424	fxssvc.exe
3340	elevation_service.exe
4156	elevation_service.exe
3168	maintenanceservice.exe
4172	msdtc.exe
4116	OSE.EXE
1300	PerceptionSimulationService.exe
3776	perfhost.exe
3608	locator.exe
2768	SensorDataService.exe
4912	snmptrap.exe
264	spectrum.exe
3916	ssh-agent.exe
4624	TieringEngineService.exe
812	AgentService.exe
4056	vds.exe
2712	vssvc.exe
4072	wbengine.exe
4952	WmiApSrv.exe
2008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5e00087cc9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 2492	4376	Purchase Order 202319876.exe	90
PID 2492 set thread context of 2232	2492	Purchase Order 202319876.exe	96

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Purchase Order 202319876.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b8e5a62437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000315cf65437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d960cf62437cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e429563437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c166462437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d62d5c437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073047062437cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4376	Purchase Order 202319876.exe
4376	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe
2492	Purchase Order 202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	Purchase Order 202319876.exe
Token: SeTakeOwnershipPrivilege	2492	Purchase Order 202319876.exe
Token: SeAuditPrivilege	4424	fxssvc.exe
Token: SeRestorePrivilege	4624	TieringEngineService.exe
Token: SeManageVolumePrivilege	4624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	812	AgentService.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	4072	wbengine.exe
Token: SeRestorePrivilege	4072	wbengine.exe
Token: SeSecurityPrivilege	4072	wbengine.exe
Token: 33	2008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2008	SearchIndexer.exe
Token: SeDebugPrivilege	2492	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2492	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2492	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2492	Purchase Order 202319876.exe
Token: SeDebugPrivilege	2492	Purchase Order 202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	Purchase Order 202319876.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4960	4376	Purchase Order 202319876.exe	89
PID 4376 wrote to memory of 4960	4376	Purchase Order 202319876.exe	89
PID 4376 wrote to memory of 4960	4376	Purchase Order 202319876.exe	89
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 4376 wrote to memory of 2492	4376	Purchase Order 202319876.exe	90
PID 2492 wrote to memory of 2232	2492	Purchase Order 202319876.exe	96
PID 2492 wrote to memory of 2232	2492	Purchase Order 202319876.exe	96
PID 2492 wrote to memory of 2232	2492	Purchase Order 202319876.exe	96
PID 2492 wrote to memory of 2232	2492	Purchase Order 202319876.exe	96
PID 2492 wrote to memory of 2232	2492	Purchase Order 202319876.exe	96
PID 2008 wrote to memory of 3752	2008	SearchIndexer.exe	118
PID 2008 wrote to memory of 3752	2008	SearchIndexer.exe	118
PID 2008 wrote to memory of 3872	2008	SearchIndexer.exe	119
PID 2008 wrote to memory of 3872	2008	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
45067137b4547c0d3e93ebf59d1b36b2

SHA1
2576c0c33376167af6e500aec436440862bc928f

SHA256
ce5928adb21994dab3391297e6dcf6513a224eded13241b03a70a0f1b059ace6

SHA512
278382c7f19026eaa8a20fe673516584478a5ad0d7683675287e4e163a6b466e09f1ac08fb46fd1a7ba2b8d537e59cc8e6d9f39274a9320eb5920f414cf38e2b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5f8605f5a5763ed6feabc44ddfc37577

SHA1
c897eabfecee3dccb159002c484f83f6b4d1786a

SHA256
211cc3aa69112d4201c296341f4fd0b735db3e6bfb811a2099a5e2192eddd528

SHA512
60d30795d4a5662733cefcb41742cf3587a44495093a81f8357dd9431d9800f224e117c751491695a80492ab40d8e213474f8cee27470e2cf0fcae1f65ab07a6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5f8605f5a5763ed6feabc44ddfc37577

SHA1
c897eabfecee3dccb159002c484f83f6b4d1786a

SHA256
211cc3aa69112d4201c296341f4fd0b735db3e6bfb811a2099a5e2192eddd528

SHA512
60d30795d4a5662733cefcb41742cf3587a44495093a81f8357dd9431d9800f224e117c751491695a80492ab40d8e213474f8cee27470e2cf0fcae1f65ab07a6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1f01ddbc65d74509e991dad2140c11d7

SHA1
993dba82c68deb6f2cbb18092e8073dea7073e6f

SHA256
1ef3e0e7dd644b7c5a3149c0ee99c4607a16f81444f25e6beee3a2c3bb696fdb

SHA512
72e274ed6e9951c8e190c4ff5959995a6a3621ba04b3e1c58eb441d04a358d63e6a24d8b20ea714f45e2b0da95b7dbd02457fbc068df94987b65067f9003fcc7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
0a5a4aace95a3b9353d7b30188410f0e

SHA1
fc3f20ef5a9a86a2eed1474ded9d91ca508b09ac

SHA256
05c7a7fdc0d6f88fd1a4f7350624887e635abcb51783fc668081bab2d2ae37cc

SHA512
51bfe4db265faf9285658cd7148f17ca5a210e26497d354920f8f6630754766ab6a2d6d1e492e390ab6735c9992da1e3ee712a62f63ab466a357db4d24cdb126

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
244e6d86b6cbf0f205cd8a813e62fece

SHA1
1ca6cfcd205cff24ccca979d50f5478b8291c540

SHA256
6f069a839932edb31ffee996dd92a5ef0d7df4cea339821a7ae207875797bfa1

SHA512
54d4205ae6352b206f60e9f4cac36f9036151aa1b05a36169009c61d602368c7da7b5b279d9e2ccf3261b928a1d5158b9be3d4123263c69ecd0d9e1f1f995bfb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
61a6073f73713149d42bd82f9b4b8976

SHA1
32b299cdfa55d124a26fbd4a97cdf738e3b22a43

SHA256
680d4332c24c10497e760bc8102fa53bde5b41aed210c50a33f46de0191cf7d2

SHA512
970c4855d16c53b1d9077bf735124c3b6e9df743545f15440b7042eebb3168d56be088b3afcf66f7e3fc6795eec7b367b6e8ecb5ab85f230d56850ba4f5211e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
a8e42a8f2ed427b4f8a66a09bc7ed4b8

SHA1
aba9ee41408fe614593659866a56c3ce33d39b40

SHA256
f63a7f09f27c69d2eb39fba88dc44dfdcd0cdb59cfafd44b5bb1d7ef0e626e61

SHA512
542b0258d82a7e4c2e309c091c98948cc8e9bc0f341fed4272f6207c9ee805a03356da956eee10474fae15ddc32348c50b14a9f5b33cd5de95bfa3c15d0ec383

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.1MB

MD5
7f49bc6bf54ea103594a45bc9b8432e6

SHA1
bcc22ca32cf63a2d2b7ce23a3dfae0c62e51d170

SHA256
08be0e5ee0ae4152c2a974955dc4fa3163259130d355c0e75e61872948a0b7c2

SHA512
0e8070cd8d60082611803284544680b9cb4e14689a4d1b47684940ef3cd5dd23578f7363551b4d9b6d32b7299e57edad55718e820be053a8a35a2281c64a9bd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.1MB

MD5
88abb12c61c15bffcde76872b3d2733d

SHA1
b27c7d422192ca9e5847f7e5095b7a47d81b3181

SHA256
ab874545cb23373622932daa304b4fb3b4eec3a2ebbb3f0f87559fbcc6b1d7f0

SHA512
912ba7eb04fb01c3ab83c9eb528667dc30916898d5bb45f063929dbf514f3b730e3a51505c00ad9a4c55c0767332e8a59c0aac02aa0ed9548f63cbb756cea4df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
fc4cc6f7047a8d8d15d2086b5412d255

SHA1
ae4ee0a1148eaad31ec78d3957a8cdc4bc466771

SHA256
5ffd1b9b2fbbdfb8390fd2782cb0e5bf276816b06bca552c498b72a5c51413be

SHA512
34825aa3435070e13e4ac8293dea256f3462a0388d98dedc53629485ba30127343e662da469be162ba15683cccf7f34a747e8abd9bce8e456950a5ef6cffe32f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8d676bd7085890a8f4e26c82fa254e5f

SHA1
afc8616d9cba9efe364825dfb228620f1daa13b4

SHA256
a0f5c4ec06e7a4753ec965dc52d4b95f404a4464ceb70f1f4931beece0ff4dcb

SHA512
a3e320f6504252ec6fca28e5be686603101d9ddc84f2443eca4fa4d827923d8aadc51e426f7e7525c92d6467ed156a6d3deecd53e1ca632c1cad401b0bfb3dd2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3568d368429438490aa9fed3b46da5b9

SHA1
1f5cd0f9459f4c2ed9259cd63b369af74468431a

SHA256
9f4ae341479a613c8803f368f1e59d3511bc1470a8e7edad5971e7d518e40402

SHA512
9d784a204429c1a83f30148b062aea9dc6d8bd33c65452e4a5e783d6314051338ea8e06664bdc216539959b6501a65ae52b5a8cf5603b6fd2a93d2baf5e8f04e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ee9e04abeea2032a90b0e6a3fe2457b7

SHA1
a9fc1d273aae74109ba9177f3585fe291f49d26d

SHA256
6eef46800e602bce41be91267f6c70e6b2a5c6c720b9be842af7275a239468d9

SHA512
676c8686f1757c3319dd6ee6aae4ca0d6bd5e3470144610d2cdee6d38877aef7edac3172f52a90d6fa07b5ffb66fb72b3849afc2cde4c5c09935c1e57d14a030

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.1MB

MD5
640b2252323d91e5e539256f22747df0

SHA1
9362a56ab92a111719c1ec9ef5306856f5e0517e

SHA256
61f0dc93207b8ca2945dc0b0156c47ad1ce08a662fdcebd658d18ab43e28cc91

SHA512
9377ecc57ab86a5d075f67d9fcae76cbdfca3b28a346414414fba88ed7d157d247b33038ca9409bb9cfef1b22ec6c713ae0fb997d45467ef04384b13c8b0cac1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.1MB

MD5
2b7b8a16af591c1f3f5ae62d07946925

SHA1
21d27e042c0b563a7e440c3837d32dd469247843

SHA256
a8441fb8a1fc6db2e82f17f8d87d1839d41a9bb79bb7f17ec1eac6c3bdf0cf7b

SHA512
e265a3cc22bb7d46e44db947e9d460a2e6ddcbc17fbb653a7166335cec90e60bceca214f138a24f8179bbc55a64eccc43e217650dd7e73df3fa41a61f6faada4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2bb25734008269f38be84c2dfd5bef2

SHA1
6a920031f0f2757d95bc3dc137cf50cd17064513

SHA256
87648046f542f14910fb5d14089c41730d4064c4ed928840e3ec94828171a14a

SHA512
a70bbf3614421682c528bdc7eb063614a0fd0c3a59370a70af96d0a7665082d47ee0201d438ba48ee15eaba47c11f1ebb4562d5855f387bfe1820bc61861a450

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e27e538832019866aa5de906e9835891

SHA1
4b1a0753fca834a4866daf3090eff26d2e87d5b5

SHA256
9fc54356d7b242c2617be7a18e0dc1e6375035d3308cda70055043621569ca2f

SHA512
21db5fe865036134bcebc8eb277ef327b786d8d647d5b116a2860810ed5f83cf694cb979fbc747e2b44c0c2da26e65cc2967d84eae45b711e8a32d9a7ffed14c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
caf0a4b9d04b2300e22758be2a5bc75b

SHA1
ed01b70c2932bd03c97b50c80f0ccee026ffbb34

SHA256
146d0d08baa9098fa190034ff0e4d6cbc6ffeadd558c19f6dbf03b3e694f16d1

SHA512
0965cd3cd4c4cd148381ddd799d4df5fb1627e3755506d2f84f4ea16ba7d7929db67d4f1c1b5652b62d2b2c1889b72d2bc9472d70548e7a704d0d55d09b61d32

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70b6e71ab089585761aab0ac7785f0f9

SHA1
4fcb5d4d261ed58a66f560b86615110122be20e4

SHA256
70022e80e07d72ee15b3904dabc76d9eaa9777d17f35102b7c180404386cf6a6

SHA512
c54a513d11600e647b2ef73b9c1c5697268a7f20979927b5717443cca7390f8312d9c52272913297a0f3abc7cfb2534c470aba3d7791a6eabf6e48d86bf58e2d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
78830e9f66603bf2dd0b714890e37afb

SHA1
3b6d9f35faecdca0ae36921cb163eb57e8ab9ff9

SHA256
465491aa17186af3906bfe22540f35bf3cf1100fbd0e613347cc711b2ae3a9d8

SHA512
1d3044ba3ac52cec01d53fb808885ba473863f05de0a1c00eadeec3467d8d5524518bb0ca743748539c863c66458140e33bd6c33c48b3fef20f8806898530caf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f2e9fd28a40206edb8c128312b39c664

SHA1
3ed226438544b43fcbe112e4cd9beb7ffeb1a23d

SHA256
1b65531418b10cce2237571a9d659d104f570076b3ee28bb68223506d73f4008

SHA512
435f56e7bcd1f298f5a3c477ffe23bffa47e224413f9a2f94211f2bffb63bedfd26ec1c53cbb102aad9d5cd2917e09a73b77d9a3695f6b7cfef39ed7582cf3de

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bd07fb22d35fbdd743f24d81bf2a0236

SHA1
4189aa82f453f84f23ed45975fc9f6402eebe2bc

SHA256
ad21ec8b13810b9eca2d3e2992ca08b597374f1b14db881df48bf50ff798aade

SHA512
5f57269824ab4e52a02aca444427f5ef6bc48a4bb6c316fff72fdcff6f22425e71e122b7e20d84d84f8464f8823ac9dd03eb4a2712c17f7d6feec3440400046e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ec347cae98bd2a470231d95c8a5db229

SHA1
7b44c5317fae305da87dad49c19a3cba8115595a

SHA256
43cd48ee1e6e2b32a2f65b7ccaedd0bf3bc92f180aede1f1729b20417583703b

SHA512
ed75cf89d1e2d261fa2ad6026f71e80ad0395a65ecbd3bae690d52f2db45e01f063e209e4201d115a2c9fca9e9afe6b0eafd23598a766bf7cfbc9d9cc491f77a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ec347cae98bd2a470231d95c8a5db229

SHA1
7b44c5317fae305da87dad49c19a3cba8115595a

SHA256
43cd48ee1e6e2b32a2f65b7ccaedd0bf3bc92f180aede1f1729b20417583703b

SHA512
ed75cf89d1e2d261fa2ad6026f71e80ad0395a65ecbd3bae690d52f2db45e01f063e209e4201d115a2c9fca9e9afe6b0eafd23598a766bf7cfbc9d9cc491f77a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fc5fe64baf45c7f2a91243f22d23f9c4

SHA1
0745f0e0212da9503be89e003e19247cc21fba1f

SHA256
c0039ab61d7b9ffba13975bfed4206205fe9d519a33f004204cd3c881fd3e119

SHA512
7efda9f4a6271a626bf826a8ae7ef098ccdc0d84a91dd33bc25bbd3074743eef052c3c16756742697f6c002a335ec301bd628f542f4af3e4ca906c51c1485538

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c63613a2231ef219ef236f809b2582b3

SHA1
13210b85fc3ff8b533d0df19c57938938f30c748

SHA256
fccaf8f3c337b1a04b6e393127fd11936fce3ec54f081d5e171aafb3f453eed1

SHA512
d79cb7265a3a48b94f1d360d6a22d1bedee9e64bd6523cc11b7e4cfb8bbd5670736b525780c5e78c7ca9647614ab905ee9a90f50e7ef90cacfdef2e07a6b6d0c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cbb5bb6260f7619d14f416a4c67ca3fa

SHA1
7fa021299316b40d85aed888331eb69e9a19f865

SHA256
e6abe00d6b72bb42fc8eef3ec710ed78568bfdc0122d40d1f9b3af7157fb791f

SHA512
82ecba85a09463a758359c17936f0ea48690e4f0c9de7d6846162c10771ceb7fba242529cbec0fcd879d2b4bbcd44ad0d2d9e4af1d8dfbe465ec0da76e905c19

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cbb5bb6260f7619d14f416a4c67ca3fa

SHA1
7fa021299316b40d85aed888331eb69e9a19f865

SHA256
e6abe00d6b72bb42fc8eef3ec710ed78568bfdc0122d40d1f9b3af7157fb791f

SHA512
82ecba85a09463a758359c17936f0ea48690e4f0c9de7d6846162c10771ceb7fba242529cbec0fcd879d2b4bbcd44ad0d2d9e4af1d8dfbe465ec0da76e905c19

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1c802c8a12f274a1938efde57d44d0a5

SHA1
3450309794f73e3723d9d14c5a6dc7a4858b919f

SHA256
96272bcb95d5989f2628a2ed3d3d70ce730c376e5e9a77e0acd367381bf018ba

SHA512
3cf69c726ae3a53f82366edc95af0d53b780f8ffda6853607e4aceea8abccbcdfd5bab018693fc0f4ff954a426588947e1c86434e280a5348f55d0ec1bbec0e3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1db0854f916d63c36d825fb51ba9d076

SHA1
cabb8ad67613bcfe7663f16aed8f7e75e21b0dd0

SHA256
5c84fba2525c6f1604a11a70cc6a2d09ddd407615036687438cd812b47f5494d

SHA512
154a6c196c648f21fbdf8398ca73bb5e2b31ff4fe0a99c53aca390b8ca49629bd8a7e20b7ab6bab22bae30421d65cf29b1476253e63560f91f3edcbdf2e596ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eabee7fc2c783d37f57859f149a0d782

SHA1
6ff5f859bdac43c19218f0c94b5452fdf9ce0938

SHA256
5d8d3c20ce054d05ad7f40659f80d4ca4eb9ae411d5652c2dc9ae47362bd4bb6

SHA512
076c8a546a940dcaa9b8279bab1babd643c00987fe5a0692c5c56263c086ca3d807848547c6e888b2b22b27563264ed818c7ebdd5c50729ba99f005bdf172983

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3c19fb6423882ce90a741ec433267ed9

SHA1
188b5bfd574ad62e8f9ac1e6bd329b40c8683ec7

SHA256
e32784b1f0b0ea53171a291800e93a1f3f1c84508d7a63dff8712a1f867972b6

SHA512
8d01e7b9fa3545af90f388467d6f525f3913c16a9d2625d7c421930684862611c69551b5f36c7931934e880252c5984a62115a357b868f9ea02f61b03157ef0c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
2ba61910469469d99132eb43003e51ca

SHA1
229b00aeb37f567a885dda83fcff02b4d57a5ba2

SHA256
a265dad45ef3f4427ad8a1dd7da18bbc806f2cfadd904d3c269ee1dc8d8fdef4

SHA512
8e449685f45097f38f7d2b811ed6d824f4767a67d0288418a7b22537c6451a614c0b29b4f07833abd96f9e67ba68551803dea74acd637679c9fa3c6882163a71

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4b16c980b9ea9a978fff62ebecf52aa0

SHA1
409a93105a50ee12568e8c661a377b8ecd70aa6a

SHA256
6dd094bd14e345fceaa1f0bb331218087fb169f98e5f5e497af956e78f00c42b

SHA512
c20bafc434cc3556e54bb767296e01cecddb8ffa0595edfad5b8d5bb7d81f5199774dfc32fb37b71e4e4aff986bc4d629e9c5e58ac003cf6d6d1c20fb6851847

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d9a7bd95b7d2595b2e80adf8e6b4f851

SHA1
ee5094fd3a9e7a670e112071496305bcf5dbbc80

SHA256
b0922ce170426e05d2781fa8273e0d152ac23c8c97a800afed5b9eaef7d8a1c7

SHA512
8a4fb07c4cfb2c0136cc3fa8ce775c648ab44582038aac86048ea87cbc9a1ac0e959a82f754fedda89243a2367e99cb50d638799e7a005555f9da57b57bd1b77

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
95bbcc716efd98bd4ab3c97b3f4efec2

SHA1
3438038610b6878beab6d38ae7322586385f1c89

SHA256
68958ebe5112308dc323cbc95073de8f23ec2f9f570271039c19e082af2283a7

SHA512
baea0a4d74c64be79c20f01a169d64b9d92e381a87d5495d3b2d514bb40a2e776311ac9c78d804d236091224e3a4c214b58e229230853f5267c05fe082098d9b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8916563188f8461b3cd66ac11e4a9c4d

SHA1
a25097b0972c2e672324668d60df3930fd0d4908

SHA256
700231659d4570e0e8ef2bc332e80332e2584bef8c503dab83289c30b7310cc9

SHA512
e6aa361b13e0b62917ed9afe32de79760b7a1bab9426fd87eef061fee91ebff0cc019b2d5d1c05ff1359daecb0c55f4fd3c8c6f9ebd548c084e2fa6b059f0165

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
70b6e71ab089585761aab0ac7785f0f9

SHA1
4fcb5d4d261ed58a66f560b86615110122be20e4

SHA256
70022e80e07d72ee15b3904dabc76d9eaa9777d17f35102b7c180404386cf6a6

SHA512
c54a513d11600e647b2ef73b9c1c5697268a7f20979927b5717443cca7390f8312d9c52272913297a0f3abc7cfb2534c470aba3d7791a6eabf6e48d86bf58e2d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4f6ec6e0fde3df82ae58cab185872694

SHA1
ab68743b973aa99594714d40acc5d95ccbcc83b8

SHA256
1db08154e4c5bc909b69cf94c7f4711f7c2278901ebd73b9ac96fd3479bfb5d1

SHA512
e50d560b1eebd22ba78dbeee012c3500058aedca67001c94f121bbf03dc2b1447ac951d66f89cd4b539bcf7bc3960439e5a7c41feddb528e66554229a853ec08

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c57f2ea3735c78a9ba40c2e028bbc52a

SHA1
a5c54f123436e983bb58322fe8b10a19723dd863

SHA256
1672898567caaaf5359fff82c35218076f2cc892b248f6a3b458150eb163a22a

SHA512
e132c02be05a7448cbc6fc98d832250af74bcf6b8956f14532ba7a1bdf8166da6a9d1da29cb12b87921adefb303944452057ad851923cf2d3f51b6817a53876d

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
f2e9fd28a40206edb8c128312b39c664

SHA1
3ed226438544b43fcbe112e4cd9beb7ffeb1a23d

SHA256
1b65531418b10cce2237571a9d659d104f570076b3ee28bb68223506d73f4008

SHA512
435f56e7bcd1f298f5a3c477ffe23bffa47e224413f9a2f94211f2bffb63bedfd26ec1c53cbb102aad9d5cd2917e09a73b77d9a3695f6b7cfef39ed7582cf3de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
97dfada8839cb76efd129908f2c8051b

SHA1
eae374c3c4f2dbd34dfdf1da19f971f37d136fc4

SHA256
68c3a3654fdc2a523472194db90666322b47eedd8da32d2d6b21c316b856dc54

SHA512
b4307db857d8bc61b0fe24071eb5d4c045ae6125298bc0d70c7956084a11f7bb00fe79f9fa90076a00e92b0de6739ac81afec0a28b9669ced17dcaddf740bd6d

Download Submit
C:\odt\office2016setup.exe

Filesize
4.5MB

MD5
92885c6810b05ad79cf210469bd83d8e

SHA1
c7d972fd84732dc2569ce861a5bf56b3714d1da6

SHA256
ba5f6bb988e093a0e1b4d04fab04089ea6d40c02bc833907df1a7ff752bb449d

SHA512
ea96fc2b7ccefe81103fb092b37505559a6abb4d14ad52dda46c928877f0aafa725e84ca18864701b6ae842b42101695ce9b26e7bc00c4a7324c7af7506023ce

Download Submit
memory/264-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/264-315-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/812-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1300-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1984-157-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1984-163-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1984-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2008-425-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2008-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2232-200-0x0000000000430000-0x0000000000496000-memory.dmp

Filesize
408KB

Download
memory/2492-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2492-145-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/2492-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2492-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2492-391-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2492-150-0x0000000003480000-0x00000000034E6000-memory.dmp

Filesize
408KB

Download
memory/2712-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2768-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2768-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3168-228-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3168-225-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3168-219-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3340-533-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3340-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3340-198-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3340-192-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3608-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3776-273-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3776-587-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3872-734-0x0000018C92B90000-0x0000018C92B91000-memory.dmp

Filesize
4KB

Download
memory/3872-682-0x0000018C92E20000-0x0000018C92EC5000-memory.dmp

Filesize
660KB

Download
memory/3872-681-0x0000018C92E30000-0x0000018C92E40000-memory.dmp

Filesize
64KB

Download
memory/3872-648-0x0000018C92B90000-0x0000018C92B91000-memory.dmp

Filesize
4KB

Download
memory/3916-344-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4052-170-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4052-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4052-189-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4056-607-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4056-363-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4072-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4116-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4156-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4156-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4156-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-534-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-233-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4172-238-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4172-562-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4376-139-0x0000000007930000-0x00000000079CC000-memory.dmp

Filesize
624KB

Download
memory/4376-134-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/4376-135-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4376-136-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4376-137-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/4376-133-0x00000000009D0000-0x0000000000B4E000-memory.dmp

Filesize
1.5MB

Download
memory/4376-138-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/4424-180-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4424-191-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-186-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4424-201-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4424-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4624-345-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4624-606-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4912-314-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4952-621-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4952-423-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download