blustealer | a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
5004	alg.exe
4092	DiagnosticsHub.StandardCollector.Service.exe
4600	fxssvc.exe
3736	elevation_service.exe
1640	elevation_service.exe
1944	maintenanceservice.exe
4556	msdtc.exe
1548	OSE.EXE
2272	PerceptionSimulationService.exe
32	perfhost.exe
1636	locator.exe
2156	SensorDataService.exe
4756	snmptrap.exe
4164	spectrum.exe
3232	ssh-agent.exe
1264	TieringEngineService.exe
1724	AgentService.exe
4644	vds.exe
3504	vssvc.exe
1912	wbengine.exe
1592	WmiApSrv.exe
1696	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\87cfb92cc9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 3816	4656	Purchase Order.exe	92
PID 3816 set thread context of 1076	3816	Purchase Order.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	Purchase Order.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Purchase Order.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e593f548d81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017c1e4538d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dba60548d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4bf5d528d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000379a37528d81d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb71f5538d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c318a1548d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b14c3568d81d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe
3816	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3816	Purchase Order.exe
Token: SeAuditPrivilege	4600	fxssvc.exe
Token: SeRestorePrivilege	1264	TieringEngineService.exe
Token: SeManageVolumePrivilege	1264	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1724	AgentService.exe
Token: SeBackupPrivilege	3504	vssvc.exe
Token: SeRestorePrivilege	3504	vssvc.exe
Token: SeAuditPrivilege	3504	vssvc.exe
Token: SeBackupPrivilege	1912	wbengine.exe
Token: SeRestorePrivilege	1912	wbengine.exe
Token: SeSecurityPrivilege	1912	wbengine.exe
Token: 33	1696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1696	SearchIndexer.exe
Token: SeDebugPrivilege	3816	Purchase Order.exe
Token: SeDebugPrivilege	3816	Purchase Order.exe
Token: SeDebugPrivilege	3816	Purchase Order.exe
Token: SeDebugPrivilege	3816	Purchase Order.exe
Token: SeDebugPrivilege	3816	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3816	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 4656 wrote to memory of 3816	4656	Purchase Order.exe	92
PID 3816 wrote to memory of 1076	3816	Purchase Order.exe	98
PID 3816 wrote to memory of 1076	3816	Purchase Order.exe	98
PID 3816 wrote to memory of 1076	3816	Purchase Order.exe	98
PID 3816 wrote to memory of 1076	3816	Purchase Order.exe	98
PID 3816 wrote to memory of 1076	3816	Purchase Order.exe	98
PID 1696 wrote to memory of 4752	1696	SearchIndexer.exe	120
PID 1696 wrote to memory of 4752	1696	SearchIndexer.exe	120
PID 1696 wrote to memory of 2544	1696	SearchIndexer.exe	121
PID 1696 wrote to memory of 2544	1696	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:32

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2156

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4752
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bcc6d7fcc99158b7112897b8b051a58f

SHA1
fd78eaafcb0a095cfba0caaebe85667c38b366fe

SHA256
e02f6e886c73b5576ca01a158c0c8de094fa3e768fd2e9f7a683c7976cd9dbff

SHA512
7a433cde345b55b882e8ec9c3204ef38ef255243a20f6d8cb1467144e23c5c3d88993734afdd0a2ed5cc8efd2ebd2bc96c46f65609649a3574c376d332775f4d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b4b5adf53145fc53683858fc66d786d0

SHA1
8568e94bb76abe1db2ea65ea37bcb75e1c8708a6

SHA256
a2034b51b199e8cfa16c804e5ec9479bcf3b0402822aff5067a8742084a88112

SHA512
5e4596d8dbb579786b8eecae5655bca6c926a014157d9a0b3c64548e40b69a281699f0ef96e07ffce70bdc3209336f2d9c1a8fdd3b6069031a920a37c78d91c0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b4b5adf53145fc53683858fc66d786d0

SHA1
8568e94bb76abe1db2ea65ea37bcb75e1c8708a6

SHA256
a2034b51b199e8cfa16c804e5ec9479bcf3b0402822aff5067a8742084a88112

SHA512
5e4596d8dbb579786b8eecae5655bca6c926a014157d9a0b3c64548e40b69a281699f0ef96e07ffce70bdc3209336f2d9c1a8fdd3b6069031a920a37c78d91c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
cb6a7e03493abd14de7ea8643561a834

SHA1
101f9f7c3323c5d6c8d37de8f2b60050cc40d1d5

SHA256
fdf31959375915807d011c5f788c78829646dab5ffc7cb411fb7d777e75cc3e5

SHA512
fc6e3bc49ebafff8af611253897b5bad340da9db82a1cdfbe9e589ac4bc36480ae8ef97b3e5fb8a70af5f9c48e32b8db8b5ba7f7dc13c22aaf512e95a91c8c17

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
c5f7057d23d58c8e6fafc6d073141625

SHA1
5bdb5f89213f3a61492ef9c54eb455e9319a7cbd

SHA256
e27bbb731530c060fd0d81e9ba27ed07124ca5155270f9c26fbbfa0ff0ea5615

SHA512
56891714f754f6a01af5e53d685e35d6cb85f0a15460a4ddd09d8b25fa8880a44dfa4f82e40a57f837a4e156ba24905dbedfb277ba550b760b3a8bc256465f9d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
93508a5516d5b372c9054e7f3fed23ef

SHA1
235844963451270168df3242705ae1b86894061b

SHA256
612b1b16a155a45d726df83f823471764cee24a04126bd51e72e1e826c7f59ab

SHA512
ed62c6ed57d03981cb5324e600ec89bc50fa0156cff41b9360f56b56cf2849b17bd478196b49b5ff0d7c9a54e07ea6491c6c4d5112a1ab4299d7b8f624513536

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
081913fe53f4128570a398aae23fab9d

SHA1
ef4c628f601fa9e6c0ec7c08e725f69cd9900e65

SHA256
e8210a011b9d60104e46c4daa3bffdcb20b0369790b54007a55a2152d67d893b

SHA512
e09fed06d5a33421abb24f9344596bcedfb09fc66faa8a66b3a5137729cdea8d6be6e23e3ba920d4778501f7be3b396218296ffbf60b285e11f51b4b2ee9e1df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
863b70e96021145f19ec683b40aed91c

SHA1
e4c681434844685dc11fb7f625bfdd2ef7b2d911

SHA256
419b2249fddfba89b46e5cdee903c1b490ad7f534e122b5524f60bc4ebce439d

SHA512
a37231fda0ed8e68b6975243a3e5b86b42ad8b93c920f6a890f1df58e2eb540f92d3b5a80f89f712f69e7536fd12e78eee78b96df69e24136e7bb0b998b7edb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
3.6MB

MD5
773e946cdf40153b29ace4b449b201ea

SHA1
e2b71f9915cbeba549482b8712b572fb636b4ada

SHA256
aec364b01c748a5a7df393e9ca641c95e26fa0083ae450afdb727a67288519e2

SHA512
982d72fa6b9dad5c2c083e870239a158735bdb6cda07c70cf7321267859acd967277f1106bdd6d750d851a4de67cd31f93f336505e39aa25b84fdab5b8fd0e4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7c61f8802d1cd9a96d6b55f188fbb746

SHA1
985245d566c38ec4d3ffab2eb4da740e2552fbda

SHA256
c833ce376f1d46479186f3442d0238edd6573314865416880ee009471292c650

SHA512
b4c1191825ca2ccc50af00a08b753e3984e11145d212b6aace1b248c51f257501002a42011b54cb16b722ab0b1de9e511cd500831051fc2c6c2c9aee53aae47b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
3.7MB

MD5
d9f24fc2037360d78f3525fd936dff22

SHA1
faad342333d60cf4f5a1f06fa327c50b22184744

SHA256
b3d981c623f7491d082d3c2acf5e373932fe3b860c8c8410a3ca9152a7ef50ac

SHA512
2ff23af6920ad6b6338b9d73b0b23d6920141aa3d2e328589c95580f40494a8089476da555d0abe58535cebc082276aaed2875c24ce0a623f2babcfba9e5a94e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fdd59073996921c7cf0573287d06df8d

SHA1
b1f235abf8b8fa9bfa17468470177882b3594c27

SHA256
aff07f3ce1f9594fd6bfddcf0eca74a1cf500c9e706144fa38b7eec552cf217b

SHA512
aa8f5c698ac786564e15f36f127e7d8070b9a51852deab13239f87967c4c143c82d401d6cdb48ffdc77d8fcf1702dc77a2d8d29765163e88a1245cb402181cc5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
266cb80b06a71b6b65ca8206aed00a41

SHA1
1d681568e3c8ad6dcbf674760737600c35f83403

SHA256
a38dd1892cd8d103aaea065c3038be66cda849e8f45c82857fcdd2f86960e328

SHA512
a48d626f9be35dcc2886b39af38cbc5293e6f66e5145358d98c390be507e9921636e92d75346c8d0c5043a69730929591ccf69557273e08f043a263d21bbb0db

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
36e03a37c4cac9f6ba4deb3f65b786d6

SHA1
db88cf26249b6430d3fdc97572aa47dd1b2adf2b

SHA256
138257ba09dd897799364a7a66f0513dd9167eadc4a2f80166e568b343a6215a

SHA512
4c788ed3bb2b5660047969bc3744d681a423a681419f7f0b8013f663c2348daa5586828e5101a2820b71e3fd0524a30ae66cfc00a95493896479d3b40f258731

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
60235cb8aa2dd3d68bfae0504435ff58

SHA1
17e63309e56e978ab3f490ce30ac6fda60b2da3d

SHA256
cb54cf4bed430905090da54f4bfcb033aed902f7667e4fc22c2234837174a306

SHA512
3d368a75fd62c3b4761ec4855e2d31e5364e46b3986ef0ac7e95a95ec7d6b5b3175fa8bb91720e0f3a210f90f2db1b2dea32f4dd86255ebada223ff254588c4c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.6MB

MD5
3f7d71bdb34a863aadb2b2cd3d4c49a5

SHA1
463babc981db93d98ad34f32d07eddbfde53a720

SHA256
7d0f21be4374a8d0de83a25c18a462b61ac3981c361553c6a48fb8c24e9133e6

SHA512
65017b168d707fd6df67d2296935917f0ff5b22ac0aca5888da4b7ed885b296141fd7ee5cea79f4a528305046bc02c3950da410c9d0aa61afd42f42bef642ed0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.5MB

MD5
336e06426deee64f04b12c9621cea038

SHA1
ecd462e4a9fd413b4d6379f4e3868d9c3fcb93de

SHA256
0055acd39d96a8128425f59edb050b2f0b9fc981f3e262b6e57159780de59074

SHA512
e570f49e07bef8de1562fe747149d490d2b7c12e4e952fb68d7cce479c6ccf3a72ad8bd58d2846308cf3ae5e8bf73f23ead87fa94befcf601873cbd88cc4d01d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0ad97ab7596e2ef9ca7a5b30cf84b9bf

SHA1
df3b7026849a8ceb9f78c4d814232d8df3f57743

SHA256
12dee863c6b7b4cc837ce54265cfd8e11ffd6aa41769af41b7c4d8a1c9d39f25

SHA512
44b1f40a15feff3583e8e3d8c7acce26b6bb30b4a3dcad3390bdc9fce5112c6d7c3747ff99a5145f87cfbb5b2d47ee61c2f3ef4971e13c56f9b2d674d415b550

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e86e45333e77b5c2b063349c978ebe16

SHA1
2cdfcb16c944d0d32b3b78919bdbbb2d2b90efac

SHA256
47dfb9994184c3030c48a1cc8f9732f85e7733ae388dd7ab222cca80943132ea

SHA512
d61d9a8bd4ae8940e5a92622091df1d6162321447c8f3f2ab0b972912039fb3ac5fdccddf253fbaa4e76c4562adaf059023a04ec1c24d10bdd3c6a672479d07e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8ef5f9fab7eb72a85630384ed07e6aec

SHA1
24c12a85e019fda69cb207d040e8b0670be130f2

SHA256
5ee9cf9e4ecbee8e6742dae9aff839a95a29f3a6914e554609fba35967cde078

SHA512
88719d1a1f4fe3a3701598593f45da93780bee0f7abc1eeaafc92357c3b1f87d808501bd6e05f3c1418cb50b520641031d3246e0bd57a4f661ddc121764568b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2239df9e82116ba460d86566679f00f5

SHA1
880e32a53771518c44d1df01bdfd9f54fb86d907

SHA256
3c9cb91724cde8f7538d9774c6aa3e58565b8268d3004265f584f0e350c6b7b9

SHA512
661b9577c4aef3036ccda47395f9dd4c61c9278ac47d452a2b7b49e6e32a20e1c2e215a2f7cb9bde2efa607b9aa5cc5b5b2a36f1432e6e67160d0a885cad6db2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a8d9a325e529e2cea27f0edb338c3ea7

SHA1
a8951e5b6ef1b95c28eea062978621d28934d6bc

SHA256
543714e474273b344f999e2e34701cd3b3bee86a81e35894681d16e0060968b5

SHA512
5995caf6bb525989279f36de902db5684885d26f99ec667ea126eaefc4197d16a9ee140fa23f3c75f14053cfacf18c63386c98e77e44112f7ec62675ccb6b57e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
38a3620b3c11813bd00d7e624693147e

SHA1
9fae24201f1dc4e3dbce1daaffaf45169ce8762d

SHA256
c581c933a6d2e532a8d5000a4986556a08477c094c609060ba3e12394b8fd154

SHA512
68466c958dc173f33b84d1c3e6d5e6a3a2ef23227b6c4487d9ca1a30d2e19ca326de97dae82ac7747f9c3188319389d74cc3afa71aaaecf953aa91988306adc3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
869c19f32986b6a482381db07d8c418b

SHA1
010debf2bc2181e5b263452c799a573397d64985

SHA256
8df557f81078bb0c184d7b308aaa604305628700537fdaa7d381f4d73640bbfc

SHA512
efc98715adfac99d72b09d1a406caa02b166a30bed92aebe9fa4f1f38c051e6aefae798ca3bf379b9ec343a7abe7338f1d817ed5fcf6f4ee348fde77abc8cb59

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1e3a834f370266ec27bcf1f8442bf105

SHA1
0e7d0ac3abdee99b474d4fa85e8ac84890242b27

SHA256
71c7ddae2c1a6487c56b212d651eb1e2e7e0fce5d19ae0e683ea1b9502d70b58

SHA512
5d3fe281c37838197a592db4701de702e4e44cca3d9acd78decdd19964c58a9e9af58c3a7c8734abdd05ea1bdfeb7f0dabd34779293fc202b12aadc2e0805817

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8973e668e02d81cc59fe16ca749894ee

SHA1
e548b99a09eb6a8b0e5a3770c3f2f67d42ba06af

SHA256
9c210629f6d479c6e999c4530887fb0e74bd026641ac6f6c2fbf7a5f8b29f982

SHA512
4e4d7043fd82368e4685ed0ebcdfa211daf6c2005b299fd611d1b56794048d7119278c1fe6ff590840a287849799eab6f814ce4a46bffd6f78807704807828ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8973e668e02d81cc59fe16ca749894ee

SHA1
e548b99a09eb6a8b0e5a3770c3f2f67d42ba06af

SHA256
9c210629f6d479c6e999c4530887fb0e74bd026641ac6f6c2fbf7a5f8b29f982

SHA512
4e4d7043fd82368e4685ed0ebcdfa211daf6c2005b299fd611d1b56794048d7119278c1fe6ff590840a287849799eab6f814ce4a46bffd6f78807704807828ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ee06f57d577f6fe6dcb83622f41f9483

SHA1
810561c0c94589e196b543149486a85696ea2c9b

SHA256
920e1106eb9c043a3b7091dd63fe7314b0309e07cd48864148c1985ec68d4b5b

SHA512
c7f176df70c01a6fd2efa268dedd8d6587b06b3dc4a67cc2af802d875c83e9b7705bafca5638b9a9d8fb220abe6ed98b47c00da6fbc171bf582a3badbc5ecb7f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2fe4d7176aa7c5f99c90555c4bd191a1

SHA1
851e7eff7d0e966bd7607f5f938169c52d8bb64c

SHA256
0b643fa38fd89cca7085688f37dfae222ac6982dc2d95fd3d241133e752d3101

SHA512
9e7df07c9f2e532b1956d0a1ad56636d8bfac2712fabf25cc53a91f776a5076fee74790afa7d7ec0010769616a132f12da6110d5b5279cdb1f673342546a396c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ffdb85e3f2f7f4594c768681654686ef

SHA1
5b0b78c04dcd0d80b3bae64b1c93135ac7fd0513

SHA256
f835c9175e340aee04b530fa838e0ea9db8b215c3f6f1dfb4b21b43a41ca138d

SHA512
ee736c2b579e4e2a3c5603bc7d50df0c66816ee36e5d9c3643eadc5320bb63194239cb368560da6fc962f4864710643560ed87a86570df306332d2792d90c44d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ffdb85e3f2f7f4594c768681654686ef

SHA1
5b0b78c04dcd0d80b3bae64b1c93135ac7fd0513

SHA256
f835c9175e340aee04b530fa838e0ea9db8b215c3f6f1dfb4b21b43a41ca138d

SHA512
ee736c2b579e4e2a3c5603bc7d50df0c66816ee36e5d9c3643eadc5320bb63194239cb368560da6fc962f4864710643560ed87a86570df306332d2792d90c44d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8b2fc0f74bd7107f2b99c4beb7a13db7

SHA1
9b2f05737e8118a056a375bd08097b1be9a70400

SHA256
5509796da06b5b14f79004ba3cdb8e3b3d26bc0fc036c048464e89d2291f667c

SHA512
8aa9de23b5b0049b3f3cb773453643af872652c9eb8455206a50cc073a1535a35c0a4395c78e8d86f20747c654ee77a2095a84adfb0bd5f5793c1f124cfd74f1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0b938c275124c41acb1a2e86c9d62130

SHA1
dfdf1790aef387d722dbf750aff20082469b03cd

SHA256
c909a14651d8a49af351be933fcb4df3b87b8af304debbe482ceb8912b4c2f86

SHA512
e34eb283dae22751b176e85c0f19ed9920800addc5bf3c38349ce37c3b0969c712ad10d2de7527e2b8d3660ace802324054c433a3baade51a892455c2ec136f1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a18966f184a2e61b224fcf13940cb763

SHA1
4be088311d773c375d495553abcd925a2c4c2a7b

SHA256
70a21e717e1067ad53e642cd83640f5a80090443bb999fc2c01af3c8ae196b81

SHA512
89d74d613ff88f21f654e65f5370431b8d56415459a19b3ce2098e61b91a5dde16990fe1dd443508f2cadb5fb96420a003ae64ba2166eb33ec5fd68c103c9e7f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4af25507daab5be05081ded4c6d0839a

SHA1
41cf85532e0d90d01e7158f42bd16ca6134307d4

SHA256
c60c81bea4b888dbe435a865b3dde69800e6c8eacf438b7056cf98e98892d62c

SHA512
849ca3fea04745d83b1aca7e97da737c633ff15ddb6c2441365c8dd8d4401510702afddf8896ef4e6ff562b5bc6e5ed5063b9e8c675f27880d05c1f8caca0727

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ad88fba9e333f46eef637472d217b2f8

SHA1
27c43e4128a958523987e5b88105d70776d07094

SHA256
416f211727d7bc8bcaee68f181b359a082e7fec3bf4b75bcae5adaf26699f45a

SHA512
e966d676e0c28e7f3d193a060274bba9532ede803b2dbc6af3567aaa71a52b703704e98f656c0cba9009bc21450c36ef1bc8963160eba5a57eb2552f9b7eabc2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4a586ceffcc84d2cf15b95095c53d3dc

SHA1
92cb143aa86f04ac98da38468dd358c379798b51

SHA256
66205dd634f8eacbc7de0dd6f412564a63f5f83f1123d950f87332fb33af6f20

SHA512
55b6228dc4afb4710d44fd310f573c73ec1f43cb0d6c9852d58f7dd66b515711534340bb7f19a0cea9666a2d55642da1b0761c7d3758531d02f56e96d88fb402

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
97a9ce576029b87528f86f35416c16e4

SHA1
ad9de8d29187d5ef06cd544cfab435328b08f736

SHA256
387e0875296cf9c32640b73fff915d8d99efcb2236f48f728f6cc3d704252c46

SHA512
ef0e309aed27c5cedf04d745aac8008fab79249ff48292ac4004150d23af93d19d142fc81e1b254ea55591affcb2258566e2cc8bba6259d50ab4d1f780cc9a3e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0fcd9e6abbe9db9dc7c530bdfdadcf24

SHA1
5ccf7e644c27cdbe0ef5df7b81e6c7cfd54adef3

SHA256
c4be3c472882551be443f501c2b5a134380f6276c165f239a45276475b066bd9

SHA512
12ddbd31a769fe20b06f3e89d754750833e7b75b5dbb0f7a795c1a467a24086589607bb13341d41f2c0d38fd179d3d71457787800138c9ed1a0c19a51cbb6521

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8dc8124d1524e9d324d18df22b3fad96

SHA1
eae60a17f3d3088497c0296a9d6000239969b182

SHA256
57b16bfde1bdf1030e303c1d2e6dac12a0dd4c00d3d83a486bc247473e9c83de

SHA512
c6d6a0ed5dc72cc2bd390f430c9ae76724c72156e71ae53bf9c006a5da5635733138b873cd025328e73e2ff91965a84d3ffc326964a3b6f872f554a87c7624ba

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
a8d9a325e529e2cea27f0edb338c3ea7

SHA1
a8951e5b6ef1b95c28eea062978621d28934d6bc

SHA256
543714e474273b344f999e2e34701cd3b3bee86a81e35894681d16e0060968b5

SHA512
5995caf6bb525989279f36de902db5684885d26f99ec667ea126eaefc4197d16a9ee140fa23f3c75f14053cfacf18c63386c98e77e44112f7ec62675ccb6b57e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e2185670ea2311ae31f2b63d1ac7722e

SHA1
7f882c328185a2ad193a023afd21782470a4382e

SHA256
1ee09689b2fe0975d9764a3763ce9c3201bdad851d33e2724ecd095844352d1e

SHA512
fe7a30b28cb22e7cd504b36f9fd628ba41df7fa99ff95347015faa09c262e16c3d7e22166ef6125daa110af1d34870d2674ba42646c5acf7a23d718f183cf92e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2eace0e38b3226d4d0f55755371c3182

SHA1
026a30d1e933d2d706331831bc4286d6f8af5788

SHA256
c6540bfe767a9d209ea98b5ce0407e3c4a15d24ee2e9bcd275a1379515832587

SHA512
0190b92de5ddb2118baf8ea91edcf0e27277e152fcdc515161ff8d242e350126a08791fe24b4a26b903003ac7382cf9247571f472938029c167e6bbfc8bea144

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
869c19f32986b6a482381db07d8c418b

SHA1
010debf2bc2181e5b263452c799a573397d64985

SHA256
8df557f81078bb0c184d7b308aaa604305628700537fdaa7d381f4d73640bbfc

SHA512
efc98715adfac99d72b09d1a406caa02b166a30bed92aebe9fa4f1f38c051e6aefae798ca3bf379b9ec343a7abe7338f1d817ed5fcf6f4ee348fde77abc8cb59

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
635ed8c3ab65d14aef04559f93c4060e

SHA1
27535af6f5b31849e162f07d5b6c3d2eb6f0c6ac

SHA256
1d792cc6a8dd5a4f626362a80f53de521edecbd1cfb7249c24a41bdf23c67c73

SHA512
d27848527ab81de951f004592fcfc1464e2bc0d3276650480486ef9b736bac3ec5a08cf405946a4ee8c0d11f8cc126267ab8869337b3fb66ceb099cd31e9208e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
822604f83c41f9a7e8735cb3e032a19f

SHA1
9336ac18b85927deebdcbb20084c5746d563faa3

SHA256
6d4faf3300c7069c51185db5c7f97357b6a72dfe33eb20f7a5d0bc46c7ef5c2a

SHA512
fea9d8b048af006c4ad4bcd9563c38991643ec9cfa75784c04b411b816259b2b5a43c30e17d167962325fb52b77cc48b580afaad4d2dc0dd51f81a594519d9bc

Download Submit
memory/32-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/32-602-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1076-205-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/1264-346-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1264-623-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1548-251-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1548-587-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1592-655-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1592-397-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1636-301-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1640-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-559-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1640-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1696-690-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1696-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1724-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1912-396-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1944-229-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1944-219-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1944-220-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1944-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1944-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2156-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2156-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2272-274-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2544-774-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-776-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-772-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-731-0x000001DF6E190000-0x000001DF6E1D9000-memory.dmp

Filesize
292KB

Download
memory/2544-771-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-691-0x000001DF6E190000-0x000001DF6E1A0000-memory.dmp

Filesize
64KB

Download
memory/2544-764-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-768-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-775-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-767-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-766-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-624-0x000001DF6E060000-0x000001DF6E070000-memory.dmp

Filesize
64KB

Download
memory/2544-765-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-773-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/2544-777-0x000001DF6E380000-0x000001DF6E39A000-memory.dmp

Filesize
104KB

Download
memory/3232-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3504-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3736-536-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3736-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3736-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3736-199-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3816-149-0x00000000030C0000-0x0000000003126000-memory.dmp

Filesize
408KB

Download
memory/3816-435-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3816-144-0x00000000030C0000-0x0000000003126000-memory.dmp

Filesize
408KB

Download
memory/3816-153-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3816-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3816-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4092-491-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4092-169-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4092-175-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4092-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4164-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4556-249-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4556-234-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4600-203-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-187-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/4600-181-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/4600-194-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-201-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/4644-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4644-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-138-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4656-139-0x0000000007530000-0x00000000075CC000-memory.dmp

Filesize
624KB

Download
memory/4656-133-0x0000000000A10000-0x0000000000B9E000-memory.dmp

Filesize
1.6MB

Download
memory/4656-137-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4656-136-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/4656-135-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/4656-134-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4756-337-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5004-157-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-163-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5004-176-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download