blustealer | 427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote 1345 rev.3.exe
Size

1.4MB
MD5

34aa0ca40863c30653a0b6ba10d3daa2
SHA1

c5dbbc9a3f6d537ab49aeb89223810cd67c256f7
SHA256

427279a267a65691961da1112b7c562ba7c707709b681c71a7194aa136066eb9
SHA512

34e46909f3ea586033baa5f73ecbf1f5072f2d05cfaf77f6ab2535ee0798f01427b1e62719fc4026f4b38af03e445a33ff2deb22ef9817ab42e506cfb5cb10d2
SSDEEP

24576:O94Lauo2BLrZ6dj7Wd50QKQIsBJXkQsUc/i/Egj87qLom0Y5m6Uy:O/uHrZ6WPKQ5X0QsUN/EgQ7qEmv

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
728	alg.exe
3024	DiagnosticsHub.StandardCollector.Service.exe
920	fxssvc.exe
908	elevation_service.exe
2664	elevation_service.exe
4612	maintenanceservice.exe
3120	msdtc.exe
408	OSE.EXE
4200	PerceptionSimulationService.exe
1392	perfhost.exe
1868	locator.exe
2160	SensorDataService.exe
3340	snmptrap.exe
2492	spectrum.exe
3252	ssh-agent.exe
2072	TieringEngineService.exe
1072	AgentService.exe
3924	vds.exe
3332	vssvc.exe
1100	wbengine.exe
1152	WmiApSrv.exe
3148	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\alg.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\locator.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6761ff81c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\System32\vds.exe	Quote 1345 rev.3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 332	2072	Quote 1345 rev.3.exe	88
PID 332 set thread context of 5000	332	Quote 1345 rev.3.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Quote 1345 rev.3.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Quote 1345 rev.3.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Quote 1345 rev.3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044fc2aea407dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011bc51ec407dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000809388ec407dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe76e3e9407dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f0a60ec407dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000994ddce9407dd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000794f93f0407dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c32f97f1407dd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fd037e9407dd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe
332	Quote 1345 rev.3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	332	Quote 1345 rev.3.exe
Token: SeAuditPrivilege	920	fxssvc.exe
Token: SeRestorePrivilege	2072	TieringEngineService.exe
Token: SeManageVolumePrivilege	2072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1072	AgentService.exe
Token: SeBackupPrivilege	3332	vssvc.exe
Token: SeRestorePrivilege	3332	vssvc.exe
Token: SeAuditPrivilege	3332	vssvc.exe
Token: SeBackupPrivilege	1100	wbengine.exe
Token: SeRestorePrivilege	1100	wbengine.exe
Token: SeSecurityPrivilege	1100	wbengine.exe
Token: 33	3148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3148	SearchIndexer.exe
Token: SeDebugPrivilege	332	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	332	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	332	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	332	Quote 1345 rev.3.exe
Token: SeDebugPrivilege	332	Quote 1345 rev.3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
332	Quote 1345 rev.3.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 2072 wrote to memory of 332	2072	Quote 1345 rev.3.exe	88
PID 332 wrote to memory of 5000	332	Quote 1345 rev.3.exe	95
PID 332 wrote to memory of 5000	332	Quote 1345 rev.3.exe	95
PID 332 wrote to memory of 5000	332	Quote 1345 rev.3.exe	95
PID 332 wrote to memory of 5000	332	Quote 1345 rev.3.exe	95
PID 332 wrote to memory of 5000	332	Quote 1345 rev.3.exe	95
PID 3148 wrote to memory of 3500	3148	SearchIndexer.exe	116
PID 3148 wrote to memory of 3500	3148	SearchIndexer.exe	116
PID 3148 wrote to memory of 4148	3148	SearchIndexer.exe	117
PID 3148 wrote to memory of 4148	3148	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:5000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3120

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3500
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d1a5ce98756f307d3f0cd423857c420

SHA1
516a01240f6ebf1ab210c64ebeed1cc95990355b

SHA256
483042bea0af57e09f265fc7ad18a70cd1804a3f64331d0ae59bf06429e10ac0

SHA512
c8fbb1c5c9df343bbf976a58df064e7b0d0ca02942deccddb979ec09dbb541be99f85f77906fbb9d8ba3fdfba6ff6ce47587eb2d016b0565b2f98f0df82198ba

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3591bfb99fef470599dc045591c855e

SHA1
14ea8cd8775af89cfe998935895ab23e2163d4d5

SHA256
26bb3e2bd060dbf6d59485c7370c70989c58e052933a74176c51c438a0870c4f

SHA512
0f536aee465e372447e88276b7e4fd2b5c1092560aa551a983cc4c652bb587f648a1dd04f97ff442126ba98e2cdcea01ca6c3f5200365cdc2b3251d70487502a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c3591bfb99fef470599dc045591c855e

SHA1
14ea8cd8775af89cfe998935895ab23e2163d4d5

SHA256
26bb3e2bd060dbf6d59485c7370c70989c58e052933a74176c51c438a0870c4f

SHA512
0f536aee465e372447e88276b7e4fd2b5c1092560aa551a983cc4c652bb587f648a1dd04f97ff442126ba98e2cdcea01ca6c3f5200365cdc2b3251d70487502a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6e9a6092feed8bfd0ee086b932e61b8b

SHA1
67b60df66303e0a99ab76dc88934b7a4b650ef7e

SHA256
b73ec9eee7d984ddbe0baa566d4389a4ec2297515a16ef075dbb5f30ff50c0c7

SHA512
acb968b095473bb5a8c4c49c3752427faf7934327402692df6336f0c8fa67b44919c5b5d7e98a3d974f326b9942e1bfadf33c2ae605fab424c276543903e95e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
76c2efee6e0ad218fffc07704b7dbf11

SHA1
d1c5bdff8f74c5b4288544fdd3f754f0e1d3d987

SHA256
229cd811a315975fb0b7bd3d4ccc3e8b835f493b1f01acc1f429c2b328a328e6

SHA512
d333ea93bf965d0d9984e91cd7165137d106c4fb879d6b62c965ba39b7568e2e55052206d30d41924f095495a85f2c346394a74a3841dd2d814e66fdbd3bb7e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
34b34048d06fc6578fa51f8dd22faf22

SHA1
b95b37da9d82693691390b16545380baa2dd612c

SHA256
3912073c353a2e6e3c90cedca11c188bc26189401cda0cff84181da0a3cb0a8a

SHA512
1eccb6a227ee9ed5430d817b51f024dce81468b2bbe047a47f6ee88c25348e6d522aa7abbb4e3f75e00174f7dc3eb41fbc9b4ada9e6eeaf12a5158cc343489a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
960KB

MD5
7c1175eea7e6810e42193dd4c9162d6a

SHA1
0e05aaddbcb6ded796862d3dfa486a6d6fb143b8

SHA256
92ea336827f717fa8f67512fcc898100da61df2fff8a5f571ef9e1729781ebda

SHA512
9f70abfa5d536dd3d55161464c920d3efd0a95fcf90d9db618189b30ce79ab1a4027562bd1837337ad87d2590407b9b669d7c6b571a0b19a81c2ca514288fcef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
960KB

MD5
156f81a2a4d34fecaa9dfe6672ea7eed

SHA1
38bd4fd67b5cefa72faee19f0cc3cc5063c71337

SHA256
12cd9e117e48befe0f10165681b3133d06b4c7f65fb1220438ff5f7336075919

SHA512
34f74112cf57d4672324fac7029a26e7c3470bdda08e2be40fc85102a074de99001ec391ae10242650963987002b080031b13ce5d5d425f0557c57c98ae1cdc9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fe09db8e17ff14232e9d8b0bb27b1aee

SHA1
ae0bf40971c5a4c3c510dc1d73a287b93c4b4747

SHA256
cd2703f4f0e0d49bb07ce881f42a06efe2e2c18f5c19dc979131a414b39e9d96

SHA512
239bf6f2e9d4e862c70a79aab3396c07ef46298eca099a1a3861ebe4dac41be1c80946c85bb54a2f88ea64c28956a0ab18c1561b46a2bb2c406f0bb477296371

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
960KB

MD5
84ef1fb4a3e7ce1a23e8b402e8cc6d5a

SHA1
da80f69ad15793e0dd343eb602b4788aa22cfe05

SHA256
670daef1641e8fec8e78993877deda3289f86a97a1f1e9b5c745f91e3f4a03d9

SHA512
fec9651342ff1963b58edffe933e597eec84069b4efb1d4174688e4eb40b8873ee4aa33efb171fee1ba28a1ca39f78d16ffbcbc0869b423c5f3cee1a761dc955

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
960KB

MD5
b0f3af46d731a5f79e592573b4d683ad

SHA1
8fce277c373613ebb60aa23eb8407d1faa3a9e5f

SHA256
58e16758095a4674deee5bac7cefd74d03115d94a59d55c9af296a2cce276fd4

SHA512
71cc3a49e80bef73f189442c32e41ece058d6445f5aae0d4a7379b37f408410dbdeb090095cd5dab4c630987367f369c4b1496cbebb772a031d66ea727328718

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
960KB

MD5
1f40b2c65aa38657855d92cd873622bb

SHA1
069b5aa97c9cacabaeaa1a663fd116597f7c6de2

SHA256
dc9191f3658d229ad2c23df894ea433e792bcda4ef7cfc4aa68f2b458f7e22eb

SHA512
7da55656b0b6fb535da1d9010ef5f0736f8fec81587ca00e52692af3fa5ba69f14dff5b735d230e3822ea1e0b197c456fda08e8d15432512480341bb9e7ff6ea

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
960KB

MD5
d2f4dc61d8f219edf3e29659b85529ce

SHA1
4813faf7fd1e05c933c7d85a1c55d908ffd89c72

SHA256
95e2c7b4dc6b705b4f63384a71f3a7ab6df116d641b39ed10a9d56c117400a4d

SHA512
6430820020e9333dfe31230e88b1809195b8f5984de8f97205161b24c153be78e795e2650682faa31b1149bccdeb247cae683da51e041edb0e3ebf715d2255af

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
960KB

MD5
4fce07db2871e75b221a85c903e5148f

SHA1
42fbb825db4fbba2ced6dfa81a9270b3cf1521a1

SHA256
b35e581c14674c0601b6a0cc48b4fdb7509e70d0af993e356c66f33111dc1cb9

SHA512
2124f026e9049f5a7040b412c443840e6c759cd03d6ad84f3fb832b207bbddd92fa6ff31d24aa1f55bb9581d2194ac90cbbf0caefb41de66fd6e921c1c04e192

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
960KB

MD5
b39ca6548dd1cf328af632a6226ae22a

SHA1
b84bbf7f13e1ac2d5bc9976ebdbef3ba9c2ac358

SHA256
7723955d950b5304d93167d9421807068107b9cacc27630163339a9594c3cad0

SHA512
783e51489463305b38783ced4fdd63e4b238a949f5cb0297580afb59aaafa923a9dbbc0614b13dd16a305a808c70490368c6dfdf8977a34a45b3cc43ea755eee

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
960KB

MD5
fdd575082aa5c9c2e3d3399733905db9

SHA1
791a96d62d6e5d7c517544005078b9d675f12a46

SHA256
2a7055ddb04ef0f505dfefcb8b7962c9c61cb63c01a4bce34b248e2fffd57b03

SHA512
4a1c07c387ed5a957588bc1e9c740be764ac17599450d28f672d70fd19093ea59331871ff7240bc50cc1aa726896c21a1f8b89d0ef96a30c15c44b74bb2e41f2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
960KB

MD5
563664315b8a903644c4f5c11f7c1ea7

SHA1
d8550cc4a88f07b924ae66d1366373c362adc2c6

SHA256
2855d18964111b98b3c82aafd9c55e8dbbc30d5ddd1ff22092ad9038b1c045ba

SHA512
901e5d74c44c7acdb81ff9e565da4ace4db8625de6c57efe9366b12ade40b79810a085d4540d6e6b7d325d86c9b2265dbb15d09fc15982358b7e03bc3350a4cb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
960KB

MD5
ee9466dfd123d98a2198a257c5693dd8

SHA1
0c11c875405ebee0c4d1ba2ea4d6598c4dbfb1b4

SHA256
50d4540d7072914d086196a3810711b5c1b0bc69a46e29ce42d8b39a7b617de5

SHA512
3e116134670236c54c5fd43d3cd637ad92c4b13afe54070fc2dca3678758b602c544bdb7f46edea8d1c9fd2970c60b2896f4109c9ff4be4204dde2b001b14aaf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
960KB

MD5
c127d7afff818c71f8aa06958f390ec6

SHA1
a6d91aa12518363bcc80471d8874f66e983da23e

SHA256
1515b1adb5cfbf3245c1ac38fe4e478231de4faebb9da013cf06056e118437fe

SHA512
eebf499a528933cbb525998b2718f8f3710218919065de03b48dd61ee54d323834343c70a904fa29657012ca17a1a828eac0e8319cbfad11400d08a87f48a19a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
960KB

MD5
bde07631b0db88e4374d76f8f04d38c8

SHA1
2f03cb53a3aba6a75fb759ed89a21b0196eedb25

SHA256
980c9c3c733eb52b0a2b6b5173b54e9a90ba1b8ba8060411b0f7c10aa7c9a8cb

SHA512
11ecd8041c40ce34a7883447853d6c8822d1e6be4b6da6e2c1fb65743860bbf744041206ba0c47f97eb6da94252d22e6bdb6ab35458aa09d911cc091fc30b7b9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
960KB

MD5
82744344877c2840e4eec89be5694cc0

SHA1
9fc617365caa0da2e59b787108a88c049c24eb98

SHA256
6bd15de31db4c473c25b06a097607f6259fcd5031020fb9411c7b6c9da1dc2c9

SHA512
f88857895f9f83ef9ab5b4e5da4f51620dcdf2804b27e1b2ac027fe724a97234a497ea341417387a9b2c287d9e6f0162408b99f11ad81a3d467cc5db77708fa7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
960KB

MD5
69606b132aaa098c8f07a2eaebc6c8d4

SHA1
0843d421db214391cb17bda0e6ebba5c44de5af6

SHA256
282caa98755dbb90b8ec36fc5d3aedb62ef900713270bab1200f4f9443cad25a

SHA512
6573b3dd25990018ea0606cc57b1e263b807df14785f63e9d4ca1b71b8d4dc716d73d043cbf6e9f94c3de7c50956330337f06a753dc58ba9d818258984edc438

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
960KB

MD5
772bb3ff628917353875e4d1a6bfb908

SHA1
6ff51b84778252c7a3da3a3cc215defb3c9f6b30

SHA256
43a8a0dd267e71252ae55f1d89c7164c27a922de6e2f1b96294f3cb9aa0e27e1

SHA512
e6cdf47aca36530569254640ceff2313ba48ad563a6081b7a205fe0823acc4af47ad40f141aa237b9bfbabdbf8ccffbb2180946c3e5ef0f00cf1098c43db1ee3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
953KB

MD5
005fa8502e67c88bac6b1538cfdddeeb

SHA1
c198abb40e45ef8b14dad7c8e147ca11f934fde0

SHA256
d25a562e9a1f51a76baecf4639916e52e78f1b506f4baba9ec4c62b4751466ee

SHA512
27ec51fec1fffb384e6f88296e69579019f42d5a485b65526a1ec59d635529a9ba2707e2344d30be9c6ea2d3ca5d5d9f4325fd9d154d19030c7c7d456b09cb46

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
896KB

MD5
676e24b39e4b4fc9bf9a8e3ee204afad

SHA1
b75f130705523c3c0b4ebe197192198c63f74ea7

SHA256
9629d212c8a6d543aee756134b4161b9e75854cf49396102cd3fa4c2765c1a9b

SHA512
cb2ef33cc02a32147478e549691de09a8174adb1fb488192848fae30748e2623d6a4087725bbc0db6cf90871118c84aef02522c625feadbcffec11160545a340

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
896KB

MD5
d0b36ecbd62fb68ba05d3ff256b90f08

SHA1
5355bce071c048af413cdee12f7fee5e65f950d9

SHA256
02af2e729fd2f962b76f1f96022e76967f458ebdd64e26ecaa719973bd7755ac

SHA512
51d0e18b0f47e690ed4853523e88f8d95b54212b35b3ebe4ea7d4a9fefa2e4b0b84119743dfbd4087f4c2d8385ed958583f5215700a94a22456330002551d576

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
caae34369df81f0eeb6d694d08700416

SHA1
61bc87f1ea4514e5ff0571fea6d7bc03258d76d4

SHA256
94e2f47dca3aef1db4bebd0a5bf482e969e9bdc65c91afbbfcf967b25d04fe39

SHA512
b7818c9866430c3d9b7779555851c22faa4cdaf20720a5a99553338f764268786fe96ba349b47f7394c61c172692cfabc89c211290a39440070e7a080042f36b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d0b82ce57b966dd918f630a88a7c33fa

SHA1
c3d2c0233d642ded61ac698b76114191bd46ebfd

SHA256
cd76d79a71c095cb7cefd670ec3837d82f064515a952bd3a485d7daec806dce7

SHA512
3d01976ab6951ff736fc100c45ab4c7a2e2724a983aeb3fe72e92370010b5fa477098dac3a710d38d044393a38a2cd954876869034dbea35d72f029acf2e7e74

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d517236c83c2ebde9a096134d8903a3a

SHA1
c8688b8fa48b5da35bae57ad97237b1eff7b2efe

SHA256
ffc642b584168b6c7b71f0d41530327fb5628c3ca8ec376a9b41ecc48680065e

SHA512
d6c6de97648e8a01317243c4ff1058d8e2ba1b14fcb9a822cab48d078b137a029345353bd71e965aa2101492563edf60548a8fb5605826999976d565788229ce

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7191152775ff51dd00a8e60c3d41cda5

SHA1
09d64c170a6cf7e718d1b0eb07e3d06015575662

SHA256
3d0b12ff370995acf9100b9f80fa07abf93ea4fd6b0adeb2c9da31079569a372

SHA512
ffe4dd631809a75e40c9f8517eb5859bbc0f7b3a6a6d8b7cfd6b5ee8aa10346b3012fd1daa101d05b47867b45c804ef28794614c4f3f15f101d900b26b88a593

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
67d1c838d3bba32d42c235402600c671

SHA1
5da19e3934e966f91e29b48eb3a630f0063ba5e2

SHA256
2426b361c438796ddcc6dbc2fd7e121b5cfeffe3d2a64fc7671d4604f2e856b6

SHA512
807be10a1fe5857cca63e9925b23505f8837cd05d1c51a01f2c4598b05cb54794fd400449bf11cc2284f97c8df8d4a19f781e0192fc5867d1ba55c0526882022

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
135d1c2468603deb399485ae658975b9

SHA1
bc844c6cbb3ce9b3ad9651c88cad3a6adf1bfb5d

SHA256
528729198a1ace7e3ac73707b0e9391100630a842df86eef9bfa277a559e0218

SHA512
e8072010bd10918f5cf3f2c41581e96b39988098a9d162d355d9654ecd9406a1ce62bcc5bd3462ba03c30d214c8f903ae58bbda3dcb7cf4f99c34546c51e2a41

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
68d82283d9f188075e6ac86aff43ea8e

SHA1
e4dde388625e5dd044dea7f785384366425c00ce

SHA256
0943179ac4cabc740eac16594e4ea8dc1617e9f0fcaed4489c4dd1d84d79c3be

SHA512
c8f5dd0c112b40b7d9cf76cd75e8739f601d899ed4a97728e4312408a987a51d59e6def0e67e8fc0f9442be5518c4ce306bca0eb7474b029eea91c4879e243d9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
68d82283d9f188075e6ac86aff43ea8e

SHA1
e4dde388625e5dd044dea7f785384366425c00ce

SHA256
0943179ac4cabc740eac16594e4ea8dc1617e9f0fcaed4489c4dd1d84d79c3be

SHA512
c8f5dd0c112b40b7d9cf76cd75e8739f601d899ed4a97728e4312408a987a51d59e6def0e67e8fc0f9442be5518c4ce306bca0eb7474b029eea91c4879e243d9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bc39e1d4d77fa4a557e1d871c38e4cd7

SHA1
ed014a288d9eb71c8b08227c1fbb4a8e028a05e4

SHA256
bfbeacfbf0505ce0d5c6077b54878dc62fb041e513d1923ceb8ae74791850867

SHA512
f77b891f734135953974ee914b14d7455cdb058bd45cfb24387752e04f679b2c83fec2ecfca2f2052af0387f4332cf084a78c96d98471eefd2b06188b6b92bd7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ee28ac9316c6bbe62fd0eea62353b0dd

SHA1
cdfa173ca7757c77650f2ce88e5aa182d3d1f5ec

SHA256
4fd1d2a272e30a7c92f8d39850a05a18511a84c57c759c0e2da861d133095aa3

SHA512
2edc42d81e998f8b37d4110cc9cd9804f5461ab08c3b5da652de18867cd060c14d8ae2a5a93224b43006a527f0d66b4d8fe5482f4992246be4f7ef98d2922170

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
19234c5fab7f0de233f2451391140c7b

SHA1
9e25b07e6803f0a8298fcda7775c49acb3894234

SHA256
96b93025d71517f488a625193e6002c6fca37910c964030f1fda65342fc1a65e

SHA512
8a39c9e49851aff979aa5b72ed6f0c51e2450f2103b749a6a9f39ccd0ecde1430fb296aed7e5c9bff22b9d0a8ad084ff3696545f3270b962919ff135fae99cb5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
19234c5fab7f0de233f2451391140c7b

SHA1
9e25b07e6803f0a8298fcda7775c49acb3894234

SHA256
96b93025d71517f488a625193e6002c6fca37910c964030f1fda65342fc1a65e

SHA512
8a39c9e49851aff979aa5b72ed6f0c51e2450f2103b749a6a9f39ccd0ecde1430fb296aed7e5c9bff22b9d0a8ad084ff3696545f3270b962919ff135fae99cb5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9617964086b05ab13bfaa8368368b147

SHA1
4197f6fdd9d69bba3c28b7bf5cbdad8ddfee9499

SHA256
2bb50ad7ad587aae7eb0b0f5c1baa3ab83de1ac29dc0b2e8c909683f49f45324

SHA512
2d635fc82d5cc32db13a5d59e804c49d7236d02a42768fdacd7dbd77d56ed9782ed393b3d35229dc668da98366680de8121169e0a9df3b7b79020a4c664c9d61

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ccdc359fd62b638daee6069a573565f1

SHA1
6da382882aefb7a3e5971773db343589da773cad

SHA256
6249d160303fee72fbb5eed679af61d7a192b922947eb4bd81d6e473d0b1e6a1

SHA512
0daabee3c8223b1a62b85ce14aace3307647fbd7cd3558e367cbf73c4f55684b8fa0ffd08a16f3022fd13c47e108a6980627ad7da4b063b54741f2d8ca4dc977

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
239ce57ee1b362f538b0d2c9d2444356

SHA1
ec9a330b3026c391e7f7dcf3ceaecedf11ef981e

SHA256
be5c6f57bf184f8f32a5047aec89cc5a0c817fd29e41e76dcc3b36e74442e8ed

SHA512
f09f884a570370a7d8fd8ef5959ed6834a5c4b049eb7ec7480a2be21fac4baaf2c0b59304cc6327b6b989178ef23cb80c155f0a318353a320f0abf59ffbabe55

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f702e6a65fac06f332f12962d9826973

SHA1
dc412f7e1bfc384f47f5252644adf5e944478002

SHA256
3d5a724574c43f289a9f4de525bafcac82938446219cb6256c8346dbcf354d43

SHA512
5465815b4661846315405922d86462c25e60bbe6a68d07fb8e60c2e2ba2cd6b398a319d7cf0d2014f394e9c300ee7b08f0f086b5c353499ad52f18eeea3b508e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1642efb065de1b1b313325d234218cab

SHA1
b1e0cc866173087e3a6d55703109cf08ec38acec

SHA256
c60282d5f31669cd0ce3a939b7c86e5d0d7eeca8ebfd5ecb0236883cf61552ca

SHA512
fd95fc2cacb4bb1f33493a7661d9fec9bb759d59983e2c76da4f07283dbf2dc552d8cc98116d35486a6ad3660f845095f53600803e909fcc9d1b4db477b8b4e7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
64d3411578e1ad1c14765e03299cea7c

SHA1
c2e16e24f40759d6065a2858416b3b529989b746

SHA256
48e7821ef6975f6afc9b021672fcfa6aa2ea01d8c1b074ff57e54b0049aa341d

SHA512
3a81502f3f7d86459127ef82f590b8ba316c8f442128ff73a7746d713c549e83f6438c0e423d95a56e9a3989e0e0fa967588beb2452fbef0ff89e35bc9b1f8ec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f5870c86b2992af06b5c426aa55c5fb0

SHA1
5c3484dc14fde7ec670560013fa288915bc57f47

SHA256
70046c50d674e724ff09958745e439d57a1ed2f44bd0b7e35260ddf2c8da4451

SHA512
b5029d09fb90e260ed2ca17234ce9048226c01c7ea17bbc9d013ae210e662d39f6761fe2e5ad41ee3de9fedc1bb97505443231cbdd081d1a6d7a96473bfe4530

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3e5b579bd11d9ed6408ad971e61d0c05

SHA1
aa4a82306741949b7f67a5278841f4681fef145f

SHA256
75b37a3e9733ea4ac548d2cae0bd0239770c75e760babd3d08da2b8619605b44

SHA512
8ff131f9a2e0bbf3e560f6dac1dc06273ae3e8cbc6c737fe51b8bce3cc742a9845b214729d84e150c2767d8fe022890f766191cdbfc86b1bd8940943286b997f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
76f877ce46a0caa7a90260473d2ea666

SHA1
369a2d5986e5eb2db29d6fb0c659659deb75e909

SHA256
a9be2e7e890f20cebad26033b9f9f8b6d1c819c42e50d0323a02760921b7a667

SHA512
294b6b2701f10fa1c87baa68beb538f693a2d35c3bcae75e439327ea1f906b119f763cbaf40a17d538a746f5e50c7a120115e8473b45ebe8ad1364717e5cba8e

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
d517236c83c2ebde9a096134d8903a3a

SHA1
c8688b8fa48b5da35bae57ad97237b1eff7b2efe

SHA256
ffc642b584168b6c7b71f0d41530327fb5628c3ca8ec376a9b41ecc48680065e

SHA512
d6c6de97648e8a01317243c4ff1058d8e2ba1b14fcb9a822cab48d078b137a029345353bd71e965aa2101492563edf60548a8fb5605826999976d565788229ce

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
298efd051ad966fc8cb7bc23c84ac181

SHA1
1f39e6eb28ee28be7f3baf93009fa9c8cae92bb4

SHA256
197f91fc4aa2f6f27451f7051ae10e9eee95a2e0fd989255347c79eef71f228c

SHA512
8d06c6a5cc0e36354cbc7c21efcd9a0747f76d8f79cae1891118247ffbe483b586345b11b5b61735dcb8771b2b6b7e481dd3ead2f25b8e8b2284ba0dedf5b161

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
00ffe53cd86922730a8c8168f6d76318

SHA1
20c471c7d2aca33dfcb443d2417a3d965e76111a

SHA256
3d5f347ea1e21cf2c1df0eb4ec22885fca28febced13d849cb5ad756817a232c

SHA512
339bc1c9639befaaebddf4e27bf850e76d21f2a2a15c645e799e988064a891762c7b1c02aefd8eecac4f5a99215b11d5441122f12c7b40cd14946130f5e65212

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
67d1c838d3bba32d42c235402600c671

SHA1
5da19e3934e966f91e29b48eb3a630f0063ba5e2

SHA256
2426b361c438796ddcc6dbc2fd7e121b5cfeffe3d2a64fc7671d4604f2e856b6

SHA512
807be10a1fe5857cca63e9925b23505f8837cd05d1c51a01f2c4598b05cb54794fd400449bf11cc2284f97c8df8d4a19f781e0192fc5867d1ba55c0526882022

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
357c96f47b9352924027ed23b0c2dfe1

SHA1
9d478902d38ccbbd82a33b6442e489396cd40ab3

SHA256
15bc698a8e674570aaf97b8f906bd01d7c935ef0a3b0e8b5e59ed0592fb5108c

SHA512
543ad4f85201ce3d9bd719b273648307e54dcff0eb935c106a21e474df34490d5f0eae04e90157d6e15b14e3d948f7602477e2f8bd3ba1556a374338622c7856

Download Submit
C:\odt\office2016setup.exe

Filesize
2.9MB

MD5
0ffc0bd2b48862ec93cca02faa5d63fc

SHA1
d165d0978fde13f61e3df9e8b8dbb276c94ef4af

SHA256
1cf03c428eb963ae3d332b55637008d99ad7300fdb82c1eaa8813777ee1a3005

SHA512
88d141bf548876bd3450ab7c9fb34c3f1e8a6e1b8fc02509aade9a3c67d593c026843a2c3ecc73dab2ab66cc520c5ec61ff2511c624c172c4a7b58dd805c6ee1

Download Submit
memory/332-149-0x0000000001180000-0x00000000011E6000-memory.dmp

Filesize
408KB

Download
memory/332-456-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-144-0x0000000001180000-0x00000000011E6000-memory.dmp

Filesize
408KB

Download
memory/332-167-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/332-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/408-277-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/728-403-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/728-156-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/728-162-0x00000000005B0000-0x0000000000610000-memory.dmp

Filesize
384KB

Download
memory/728-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/908-489-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/908-201-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/908-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/908-192-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/920-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/920-180-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/920-186-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/920-189-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1072-356-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1072-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1100-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1152-689-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1152-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1392-280-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1868-299-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2072-133-0x00000000005D0000-0x000000000073C000-memory.dmp

Filesize
1.4MB

Download
memory/2072-137-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2072-134-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/2072-353-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2072-138-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2072-136-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/2072-135-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/2072-139-0x00000000073A0000-0x000000000743C000-memory.dmp

Filesize
624KB

Download
memory/2160-301-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2492-617-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2664-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2664-538-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2664-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2664-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3024-170-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3024-176-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3024-195-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3120-234-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3120-244-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3148-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3148-695-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3252-350-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3332-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3332-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3340-324-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3924-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4148-750-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-704-0x00000228C32F0000-0x00000228C32F1000-memory.dmp

Filesize
4KB

Download
memory/4148-690-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-691-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-659-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-658-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-641-0x00000228C32F0000-0x00000228C32F1000-memory.dmp

Filesize
4KB

Download
memory/4148-753-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-619-0x00000228C32F0000-0x00000228C32F1000-memory.dmp

Filesize
4KB

Download
memory/4148-752-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-751-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-731-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-749-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-745-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-744-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-692-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-743-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-742-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-723-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-728-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-729-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4148-730-0x00000228C3A30000-0x00000228C3A4A000-memory.dmp

Filesize
104KB

Download
memory/4200-278-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4612-216-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4612-223-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4612-227-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4612-230-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4612-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5000-224-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/5000-211-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download