blustealer | 6bd883240fc97aff61fdafa84f6b28ac22849b0097dc80c3a4cfa75611cf14b6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.5MB
MD5

50815feaceafebb93a883fd6790af856
SHA1

9eee055af8be7bc6de2b6a3b869b553758ca741f
SHA256

a894ab5bc1a3a77398b7c8b154acc165d9dc5e4e183e573daa8dda6c969d58f3
SHA512

08fedff0fca35a0be3201f41e2583089284640e98f8597d4b33582e3b0b7157db4d7da0b1587deccd69564911b702fe159e9de9700cf6edee875cbf191d64e0d
SSDEEP

24576:EMQt9u/6kEu3h2ZuJPsbIf0O9AXpTHH6yTuEBEel9DWtJ/qBcME7W+DUn+GOaHjR:Wt9u/6kzwu7sjFpBEeritJ4QB0ZljJ

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
888	alg.exe
4844	DiagnosticsHub.StandardCollector.Service.exe
1208	fxssvc.exe
368	elevation_service.exe
3552	elevation_service.exe
1532	maintenanceservice.exe
1680	msdtc.exe
2000	OSE.EXE
3352	PerceptionSimulationService.exe
4216	perfhost.exe
4888	locator.exe
3296	SensorDataService.exe
1576	snmptrap.exe
3080	spectrum.exe
3528	ssh-agent.exe
3936	TieringEngineService.exe
4720	AgentService.exe
4972	vds.exe
4824	vssvc.exe
1020	wbengine.exe
1852	WmiApSrv.exe
4592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\71da8094c9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 5012	4824	Purchase Order.exe	85
PID 5012 set thread context of 396	5012	Purchase Order.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Purchase Order.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	Purchase Order.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Purchase Order.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Purchase Order.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009b35de82682d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000716d57e72682d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c61b6be92682d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042dee8e72682d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099b92ae92682d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057e250e92682d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766f1ce92682d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d1660e82682d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	88	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe
5012	Purchase Order.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5012	Purchase Order.exe
Token: SeAuditPrivilege	1208	fxssvc.exe
Token: SeRestorePrivilege	3936	TieringEngineService.exe
Token: SeManageVolumePrivilege	3936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4720	AgentService.exe
Token: SeBackupPrivilege	4824	vssvc.exe
Token: SeRestorePrivilege	4824	vssvc.exe
Token: SeAuditPrivilege	4824	vssvc.exe
Token: SeBackupPrivilege	1020	wbengine.exe
Token: SeRestorePrivilege	1020	wbengine.exe
Token: SeSecurityPrivilege	1020	wbengine.exe
Token: 33	4592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4592	SearchIndexer.exe
Token: SeDebugPrivilege	5012	Purchase Order.exe
Token: SeDebugPrivilege	5012	Purchase Order.exe
Token: SeDebugPrivilege	5012	Purchase Order.exe
Token: SeDebugPrivilege	5012	Purchase Order.exe
Token: SeDebugPrivilege	5012	Purchase Order.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	Purchase Order.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 4824 wrote to memory of 5012	4824	Purchase Order.exe	85
PID 5012 wrote to memory of 396	5012	Purchase Order.exe	91
PID 5012 wrote to memory of 396	5012	Purchase Order.exe	91
PID 5012 wrote to memory of 396	5012	Purchase Order.exe	91
PID 5012 wrote to memory of 396	5012	Purchase Order.exe	91
PID 5012 wrote to memory of 396	5012	Purchase Order.exe	91
PID 4592 wrote to memory of 4784	4592	SearchIndexer.exe	113
PID 4592 wrote to memory of 4784	4592	SearchIndexer.exe	113
PID 4592 wrote to memory of 3988	4592	SearchIndexer.exe	114
PID 4592 wrote to memory of 3988	4592	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1680

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7c1ca817aae32a4a09d98c532dd434a3

SHA1
11b830338633e12729802b3ebb85e5f3f31be3ad

SHA256
27c17272b1536b0ce298702f54dbcb1d910310fa10bcaa7a1d7952a7f3c1cabd

SHA512
1d7001f9473c81fba88475909b3a30437fa9b47aabf6fe6b62053fbe8294c3f5dbd0887f4f6b0156b6f99e2c7e4d679722f80f780c8a2b47d1024dade648ced5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e95dd66a58dbce8a834afc9f540ca62f

SHA1
755e9c70ebc224081b935a2e82a2e3e7580cdaab

SHA256
6953d74ed0b6e0d456c0ade78dc2df24f36c5fb149fca34473465159288ceab5

SHA512
4360251b0b0a97238f35a55c2f194ad4f5d6a2e5ce5ff4fa956e17433fecefdbfdc1f65c64258db8c1d511c5e98ae313d282bf51fad7297b9172a7bbdc2ca136

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e95dd66a58dbce8a834afc9f540ca62f

SHA1
755e9c70ebc224081b935a2e82a2e3e7580cdaab

SHA256
6953d74ed0b6e0d456c0ade78dc2df24f36c5fb149fca34473465159288ceab5

SHA512
4360251b0b0a97238f35a55c2f194ad4f5d6a2e5ce5ff4fa956e17433fecefdbfdc1f65c64258db8c1d511c5e98ae313d282bf51fad7297b9172a7bbdc2ca136

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
df0e0ae8f8d323c6970d0c2e43e4228f

SHA1
7eec3ea27ff2d4fbab080dfe1b788e1bb9c9cd22

SHA256
6bc6c12a686e82e8928fd96bfce0f744909fc0f48fa6b0b6b835f4daa68cd568

SHA512
fd14dab9a9a1f1cfe5b170d1ad8f63756638839a27c5fea600aa784606cfe566a2bd0dd552680420c2142bc185d46ab2f99875d562b258b39c16fa1eb8edc487

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
c0c0134084c4f8ecb8a28c9ddf59fbf0

SHA1
72840dca6ca0bafd8961ce3fcb53e7a3e2390421

SHA256
1f646c113b33d2206446cb1427f50a369ecffd7433dd078c68e701d97195c5ac

SHA512
deca79a9bb639147bd8cb760ae54e3c7a86902dd6503b24eb32c6be46e26803f761f7f68d3ebb4ddf13f75107871c63a0e47f4796e73ce92daeb184e965ec2dc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
c99cc02138fb9ac29f938e3ba02eadc6

SHA1
346171cd037c7b54028b08040986f0abfac5e20e

SHA256
c3d62a4c3581214967b1129d769fa5c30107f6857486d5c905c540899a143acb

SHA512
233ae572a5e5bc02fcd539c0ce7ded9f9c4a5b393db2292238164fdba362a6a4845f7feba4ee9215b2411677a705fba40c742da46af18fb06c3c664e61e47e04

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
69b9c738f16c1123b021d063c6e9bb4c

SHA1
267a411db009e37fe856f55899a94342f5e741cc

SHA256
49a510f3edd5a603b96ad4a006e7765d9b5f189a0e5be9c077970b338fceaa78

SHA512
d57a8a6dfbfbafadff93f0e72471a5cf32d23185f733c83b5a630d26c2f436dc6893cdee83631b471ba9b72c38aece2c63c393c44b411c5040360c47957a98d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c5e5c866630aff49f3c72ca4e5b3f53f

SHA1
d489b2d48c856501e3b8d2782150f8b387bcd288

SHA256
7034f1f44c2a04097af776c73570677135f1ecb2d3f07dea0eee108094429e8b

SHA512
568d8ef13e26ffbd96048d9df04346f9b15fc8bcc94a61a801870aa04aa75b6843956d6ea246f94969520f4882f1f154cd74cb488e1915ef6aeb7574fd5cdc11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b6c338f2227a3314512647a6c6597837

SHA1
49e7d7e44acadb3dfd7010e6f61cebb4c292aa25

SHA256
27e755a77d88d99cceca6651d0a4173c230bfd960c7c6f702e539662084db06d

SHA512
90110f9f8b1bceef3efa5ad8436ae4628677bb31a16130633083cad5374dca77198115ff784603123ac00172c5b2f55e252272ccbddf33e3abcfe6985f709de1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
c208dbe231ca6d29b100456bf7c6a7fc

SHA1
5a16035306da451f9c6c260e30b09546e71ad53d

SHA256
64bd6d155e7a5d983700f39af3b2ba5d66a7f7bfcb652de0991a3687bf327a2c

SHA512
9966eadff0773c2abb5d224a9608b332c236ee479fe230596f5d8ab95735cc967d09e2bc7bee63c9c6cbed997624c818f8fdd52cad9be8bdd88775d04df0c9af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
10.9MB

MD5
da3392e8a889c90fc2c944fcecbe993e

SHA1
278b36dafa56777ead9a66a72b6b8d8655858fc6

SHA256
b8504122cc80ec24dd4f059f985c1d0d6589081818008ebeaf95186e73eb9b5a

SHA512
807ce1efb60801cfafffb65ec4f39b28bb56f8b965703974a6f8a676ee28b3fdf38fdc0abd6445d80972a754de3e4380b359f5b76efa9909f8347566f1baab12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bd13b37edd0471d907aeab7a8ddc0467

SHA1
c72465d46fb68fe1c4a2617159bbb72db5e9dafa

SHA256
df4052c3ef4d4554a0a52781a283729a9ae50127950060203ea81c08bd83f479

SHA512
9eeb4b7755eadebed6306d37e7ce2d59867c97690cfe4cd1ea7a13d583c14c8323f923e2c1d4d74cdd534064700c6419a0232637a13f83c22b79a1bd1fc72c71

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
073e167cf41984ba472aa26db84f8531

SHA1
a6437c9bfd917eda30b66c493af9b3a9c953b8e8

SHA256
2a56612ed959e69b62b7368d28134003e187110b0e62d59bd7d2cc8adf43e366

SHA512
871efbd66b28dea2cd47df95442857e7e0eec43041e3a55070e4974e074fe4c4b23e5269c6fedaa74b75e0c8c5091dc319f1e849a1e1cf8de10f8df7188c1574

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
8a875b7a5a42541db7d992e62e7e0c24

SHA1
f0187139c082a05579d8a12615fe5eb3c800efa8

SHA256
0c4d1017ed10073265df503a623da1cb83bf8e664e36cfcd7d9e896f862222c9

SHA512
3aff1837f0108ee3c1b793476f967c90c9919f58e7c2c04760f2c30259dfad367bc69acd37ecf67075e3ae47157e2fb0c2f578212b391ea2bdfe9b24eead883d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
373de0f320933b8de4b1857bf699bac7

SHA1
a36b3c12184dfb41645a2868bffcd073e63391bd

SHA256
e054b15d11eed192c6b9954b3c9e9f43150b303370bdc722ed9102ee10f57482

SHA512
0c4ac978b89ada9f05414571091bc58cf47625b1fc24488d62527a3cb397ac246c351f03c0ad7b4f51c2c9fa8ac1e73f7631e6856c7a92f36b581d270611db44

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
3e078418588c03dff35f29a85cc9ed67

SHA1
d3a256cdfb79fa74baec7e6dedb22b3210f75792

SHA256
6198bd8dbcd064c8b95cd6fcbd65381d71b6586d341e875951486909358be7ba

SHA512
d5e1d74e93667738782f4f8df9ec1cae1e14b696c6084ea4f607f075955a08941d36a1b65a9d760b254dc56335a150ef33754b5470b664be93e3c74933cffbe0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
982527e8e3753c6a00ad118822019c50

SHA1
72da2028e9f63fa024e8341904ec5039c29ef801

SHA256
64d013a4691ed5ba6886ec6edbb24e54a133cd811ab8295ae42a2b4a154e5171

SHA512
8f888c96468f67a4584b85a5a33d2f22b9364ff048d5941b98361c0922f7454ce9f7906736c844ff600fcbd831284fd0e699c2a3c04748a0b5495f178268d9c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
854c357d11df2bc3064bdb648cd89e10

SHA1
704babead6724641fd9b812d2882a38e77fb3874

SHA256
aec26b7181f03569ffce7db60a929eba7b1995fff01b543338fe4ba31402eee0

SHA512
3bf7819807d6345f31aa325850c3044e108bc0f5cf6fc232e5f5524355fcc3b7386d97946fa257d6754586964ce69f28425178ebc2da0b6e5b0f8051287b7f07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
40fc5cd11f0b3ad6a7a63aff9d584353

SHA1
b820b74a17eb929a19d77ba61fb874467c2cab14

SHA256
b2f6b0a8f0d5fe92e561da79f6332ebf6f1671fc32d415d61d384509d0f7f66f

SHA512
b4e5bc614f7b1e8c2eb3cf91da4fb42462dd68995b63e7c48d001130e5abb39db330701baa7f41fea862e47cb8f95d21ddc4668a25071ff039d85a68f005479f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
256KB

MD5
fbe3407818595e11e68dfd9e6dc6539a

SHA1
7979c80f709795c1b7ca056b1b79c72673560567

SHA256
cb7d3903ac28d0d3eea4fc9f572e2c121253a0ba2d8e00caac1b86d2b0a3df3a

SHA512
a06badd1dd68b664418e77aca8cb239988b0a39bdb40dd63966306425b2b3909003bea1f395cd5ef443edd21384dfaf2be5d547f88993d6f7f9dbc990cd059f1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
256KB

MD5
ce4eb3282dccd3f74814fd0c427e0c1a

SHA1
bc164fb5c243fc44b1b324e4f37b777ab8a9971b

SHA256
ff810a10fde9c09a1e0ef48495bb6cdea1d932a438431dc76ca02de8977b01ac

SHA512
9ec84a5ff0ed55dcae24e9b2f5f16f10b8ee5388bbb872ade5180b6960f80cab62307e0c3fc35a932bc7cf534b74f1c3ded056cae0c8a8a30d27fb2c713d234b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
256KB

MD5
9be77abbc2304254bf56e5c5da58af10

SHA1
5123b3cdedd2ca5efc4c6c4d205d788ac628a10f

SHA256
60c39dd652c76671b64d7930c9ac39e2a53ad43ecae533f5c10152e7369c5d73

SHA512
84aa211c9773092a100f7a2a634525f4954de3c6f121987a9a0c2980a423d9025d8eed076177730b265aeb2de5763a9d1fdff7b3b0f0ce17880beebf499485ac

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
234KB

MD5
d28b4bcbe851181dc0dfd43572b352b3

SHA1
c43ea4cb9b1606968df7e256068e7624c862aac6

SHA256
28ac4b75254cf61e1e8be9d50adc97dd0daade1186d9c6b2120a5f4fb61e786e

SHA512
39ae5ee82e1625a6fccadf1bac5c6cfa882286efe5e51dd90a6a003ce8a6bf03ac13a2f04c1300fb847599b798ccb53018666cfcedaf24273dad77db8526d05b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
192KB

MD5
20a996cb04d2701b882a973601165e25

SHA1
b95f2cb709dbd5abfcf93f417d60cb5a8ef53c9d

SHA256
7a003f7f16e41128f72b61e1a4a3e8df5114c60efef62cd231e2317735c22839

SHA512
b931ae5f05a43a788a4442d0d3abe57e3a7b7dc1f1e86b694fba26e9cd97cd87159a77f11eb93f309e928dbd8aee3b607be15f1eef902e8fb0e2693ba6632513

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
192KB

MD5
24fe4eb3b92bdf2953ea7ec8003971aa

SHA1
e704d6637d103093644c9dc041ea6ae84cb313b7

SHA256
f93ce526dc49f906c15979307e7e17acea7818386d98388309908bbe85a421f8

SHA512
67984e7d8c29c9de2257fc9bc5646e8caef948442398b3638f145eeade74080a1a19f162f2c5d694072b3fd42373f6ec6c09f221dbe41d7839d7e0386e7dd9d5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
651a064630d6c81d70ea571a45e7dd0d

SHA1
64c6b2a0ea81d0648bb89389526c95f35ee9bd23

SHA256
35d0cce34bac676229024f77a5ec511f0b327e412b21caf745e0841714ae886f

SHA512
d6d3c9f276b3ec4a7440ea7b56db50cb95dc4bef8e135a2cc99410a427860fb4bb1cd7fe2286fb7b7027f93aa69e03e192813d408997e93c74ca85bc37aa4398

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
397f46db6ff31c81083745b9ccaf7734

SHA1
b3c7e99dbd46ab28f801e0c0d139bbb397823fb4

SHA256
14dcb5bbcf76438ae44cbbacc0c2cff4f979bc6dd4e2a0ce39c7551a0e960ebf

SHA512
53816e1fdac80e957d852a86fde46d8c284eb7a1a2060f2a759b1c94b240eced8e42fc673f66c07612c9c708aac196cfef56bbe45207b9a39bafcedaa89ccf3a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5da453c41891e09bd2cc0ae8d72263d0

SHA1
214ccd48d379918d75b582df6ae8a78ed4611dff

SHA256
2cde920b61c8435bd1f7ea68c8f6298a5b735ae14bddfbc02c1beb3e15300aae

SHA512
d5cdd133da4c4b3dfa6518d01132258920ac88d912d8dd8017a65811376723268a6dd8b78b731f1dbd46731d73e0e74753c953bf31a073d767040b2bb089d13a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fdf7a07f2f43ac216834b286f8b400fe

SHA1
8994d1b81239fd02df403753b15ded9542988044

SHA256
75c7aa76f4e4d35c5d294d266830b6a375eca481a9e8eebb5e224c079a18a68b

SHA512
394d3a70f51f7dfa6b7328bc010970f6c483c89afd069c7bc4c593d6ca6342ce5faf6ada0e09156a1cacfe87a5b5015ff37e55f928bf17a400afa5cd7241a906

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
60c755dc2091c37a8d87096291d49989

SHA1
cfd56a34874872461153fec5bf246b1f1be9461f

SHA256
f41c2d2455f14d3ea3ddc0efa2082de2dadd649bff63030e5c4cea877281f69e

SHA512
51815e8dd63b9eedc55a5c9d6a08ac64adb41513200a3d8149455f0ace206fe3e9032a1acd9f003aa65c2b5c4b2bbbabc29a90a868a1578777d09e0531343884

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
05dbc0422b04266549e114d94565768b

SHA1
1f6ed317e148608456e04c4b3222fc14f8c414f2

SHA256
f0d85abdf2f3f1ae9112c181a2d4a0a05a824f3d7f3800a38871ef00f9fa1120

SHA512
6bcef7fb993096b6dfe48e5847ceab70158bc7d8022a8da92ceeee92e3b23b44180afca40233732b78a058d7ab484a442e2e6e70e65949f7cd622b8182005656

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
62e5a7926b46ff09741969727b382374

SHA1
362f6babef548b8aca363deaa019d29d384df478

SHA256
d78ad419cc9a33ad596bf7b601455fe45331ea2e538630e066dc6f8c372ef56e

SHA512
af71a5716937c6559682808664752376bbfad8a2a1a75248b9784806c6d86bde5246be02ebfce0e7a941ec0219e65110e25fba4965fb94238a0011db3d9bbc62

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
62e5a7926b46ff09741969727b382374

SHA1
362f6babef548b8aca363deaa019d29d384df478

SHA256
d78ad419cc9a33ad596bf7b601455fe45331ea2e538630e066dc6f8c372ef56e

SHA512
af71a5716937c6559682808664752376bbfad8a2a1a75248b9784806c6d86bde5246be02ebfce0e7a941ec0219e65110e25fba4965fb94238a0011db3d9bbc62

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a9de1536db3c2de0703ccc16b2508a12

SHA1
f5932dd5384e7671d0e3cdde21b37336398c8173

SHA256
fcb1ee2bbee23c87a00ff7b35d550a1c41de51fa2a1f117d3d8a98b54efd3459

SHA512
4420b2c8cfaddbb469d92b06daa660ecc0544393b9f973bc638d744fef04d82ecd70b7be7d53793a606917fc9fdf81e6f76f7773115fb9dc8f9d1a8fdc2e8594

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
57d68cad1e905d11ec34b67ec813ebb5

SHA1
5f4f47315832478db0ce5c5b6e0553c63837b471

SHA256
700778ff9c04e3966f26c811099ada35e591d50427d810f3fd5342c251e8a062

SHA512
3e3c372839df3a5a2885d0d58226f531639e78603512a763f484f8bf7b7f83058a994f6bb14fe5d2f2e03611e7ed5951edb3286b8526a4e14e7539e0cc915fe1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a712447beadf41d13f71654548d7d3cc

SHA1
c1324277012dc1ae32c05b3b6a96536bf79ac673

SHA256
3d56c7850db25ecefed69a1a80aacb6bdb2266df45a2fbc94f79871681d95084

SHA512
b18add9d0e862f90f780de4734c3777a0f8b4f96fed73208c24aba061134228088b151de3d6f1e37bca3fca1d2354ce3978474d909ef0e3e734159045efac739

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a712447beadf41d13f71654548d7d3cc

SHA1
c1324277012dc1ae32c05b3b6a96536bf79ac673

SHA256
3d56c7850db25ecefed69a1a80aacb6bdb2266df45a2fbc94f79871681d95084

SHA512
b18add9d0e862f90f780de4734c3777a0f8b4f96fed73208c24aba061134228088b151de3d6f1e37bca3fca1d2354ce3978474d909ef0e3e734159045efac739

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
60341071d90b61c10e9923c3d19671cd

SHA1
0a27859623393bd12f447d30295a89f3f82ec4cd

SHA256
5d9069f4a8e7344c95eb7b1f8f27a4e2b008eb9a45880ae45da6fa9e6cd5892f

SHA512
ef160ce4873177ba9a407cff7b1729d24bb6970be876a7fd23af19eed4c4fd8a52db34836f4b109de392b5394fb2ae989b6d851aff610916a1a3cdcdddaa5772

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7ee530d896ab48743ebf2a9411028dd5

SHA1
078f3d90717e70a65eba5bbf936b352df6185655

SHA256
69bb62a3a228605fcef5d645032e59ea44da3bd04f0cc13a98dd98bd7af230f5

SHA512
f8cd3a78a0f04766a0b6f4b96827a5425ead7487b3b1233053979374de95c21e2b3588c2eab198e6c8f6401296c2d4594109ad67fab5bdc1c348a2a77a26482e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
04df30d847985b7f637bc25f30339613

SHA1
e7fb47c8c3c2a5abd4c987684f90f1bff2612ccd

SHA256
31036af5f7b0575df4216cfbfccd90a45083131301395f178838bfb22fb00da8

SHA512
a540ce6122ce5d885e828c29fb0147cca7b71843f66403cd41dfda451283e0f09dbfea96ba5637965288e0d236a71083802a862b60b937d27b506ea1454c2796

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f2e931356663dfce51f2f7186ecd2512

SHA1
f376d6c081854df6f959c9496afe97d5f1538091

SHA256
943ef60b6c79486fdd4b516cb93ae56c3619f9e7975bde628f1ee64663cc8a01

SHA512
486e842e8c83f09c31a7dbc907ffd3c3c945f8113335093afdc743f4e47eeecda5ad8c4fbbb626478033a9f404623c3a0ba3497fe233774843c03641f98e496c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
16e051b7cdc3c885255c014e2ea8fb52

SHA1
94aa0ec2ab757b344d160e139661967e016bd109

SHA256
969184a37dc0ca56d7ddbac7afe71a22bef1c852dcdfc160c4fe967f31351ad3

SHA512
fd2ce38c8ed85c8abb5f0d415470bb7cf80165a1eb76816c04e193ab771e5b275ca56b18ad2caa03c0a7dcf1b750cebd220af24b9a6603f3cb34d47751a34bb5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c156d767c16a824250dd6138751224fb

SHA1
0731f8c0b67149233eeeee7b3a42b74590ee7d6e

SHA256
9d9a31ea20c1d936d107c27872324ef4dc5ec9c5164247c42497a53ba97b2933

SHA512
824b08e2f2fa10adb2c4eadea361039e587cc1a7ce92897dabeb0413c92303b77be817ec55bb0c5b5528375c0a4601e84c4613265c28eb03979a9b1dba6f0f41

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3b17af56b3f59da16cdcc4a759e4486

SHA1
12bd6c8dcc92a132c45c467d1d43e7fad64aad54

SHA256
50cc82bb6f584ae968f70105dcd1a3c46754ecafd28e9e2e31bf368f02aa7221

SHA512
be28184501c8f83bd99a6a20020ebd343177f4f5ef1a2afaf4260f0c209a8e05768f832d1df8cfd9c09635990fde8c149ffb673f7acfc8c3a70afc0e9f20ebef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b7cf1cb413f81863df735a5f99a30178

SHA1
bbc7ccf49a87288582074d35ca49db74b82ec0d6

SHA256
6506e7951ba717703cef06e0a62f4e775bccc89b081975d02c4c40cb5759f902

SHA512
649172c9330d34fd5e75c5c7930688acdaed291b3fe364d88535ba595cbf68ab8dfbb3e004e26c50fd36f8caf98de96e4766756ac3e266c82d8a80cc2787cd1a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dc332f8f68238ac65fd1a9909b829e4b

SHA1
3e5083332a03c60eba7cdd6f8c3cae96d5ba2981

SHA256
3b371fdfad025813372075d9dceccd9853dc41114940bbde7889487549c86508

SHA512
a591b2cf6f32bc445425b6d49e6ffce2daf95e6e5ccc0d687069fd2e49d39a755ead5024a342eebd08df426069604b5f424582588adac4cdc53875e9f9f9d052

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
5da453c41891e09bd2cc0ae8d72263d0

SHA1
214ccd48d379918d75b582df6ae8a78ed4611dff

SHA256
2cde920b61c8435bd1f7ea68c8f6298a5b735ae14bddfbc02c1beb3e15300aae

SHA512
d5cdd133da4c4b3dfa6518d01132258920ac88d912d8dd8017a65811376723268a6dd8b78b731f1dbd46731d73e0e74753c953bf31a073d767040b2bb089d13a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c59d22aa68d9dcc463f3084a083bf540

SHA1
3a6024e457828b3c2fe881e159991fd608676890

SHA256
b06e577c41d973dbb317bb38f954206c0708212d554f1151854ac7111062c75f

SHA512
4a5b1acca6cdf9e9325336e5abb6ad565c5bee1adc43a01727b9cd8733909c2cb9d799f33a270492c30c3c857e92f570d642b681dd81ece6cbd49aed19d21eac

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1af78efbbab641ffa84d28547bd6f696

SHA1
6b7e19160f373870e467803ea731e02aada66377

SHA256
6eb064fcf59c2532798cc42c1153f0bdab005cb428b7fd0bd19c6b93c3d69ced

SHA512
8c51e1a9e3a89093143e72a4183685a8d3561003e640bb5199017a7371fd0b4914c9dff327226e14ecb5088f3aa5224be9f2a2f0047fd501ab041805b6a76b7f

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
60c755dc2091c37a8d87096291d49989

SHA1
cfd56a34874872461153fec5bf246b1f1be9461f

SHA256
f41c2d2455f14d3ea3ddc0efa2082de2dadd649bff63030e5c4cea877281f69e

SHA512
51815e8dd63b9eedc55a5c9d6a08ac64adb41513200a3d8149455f0ace206fe3e9032a1acd9f003aa65c2b5c4b2bbbabc29a90a868a1578777d09e0531343884

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ac258c9626a92d6df45e5e058f86082f

SHA1
f5cb33a5e49368d9f3198e8bb49e813f697b5824

SHA256
b3e269fbc37b25e29f6ecd8e2da9c09749a7e95627e366d75be08823048fae62

SHA512
c453379e0275d93b5ec307895f03c07132bb0bb402ed04206752774d5cc698df5eff62b4d6683d6bada546eb32226983ccab017384d5404f06fca58f3dced3db

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a82973d2b376bf7f19a6326e99586853

SHA1
ffa3b7e56bc45dfabaafddf279015fd0edc7a09f

SHA256
567b0546dbee17f9c8fda9fbd73efeb538cc0f91249754b884f5318e2726eff0

SHA512
c5cdaf5c99b42481aa24bfc847e86deefd61162d8bb020b0ef2e3dbaadb8c17fc8203f8093c8971c16cfa274f1740dd3c28eda8954bffa7946886fb01c9797e0

Download Submit
memory/368-198-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/368-192-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/368-215-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/368-543-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/396-217-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/396-202-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/888-459-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/888-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/888-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/888-167-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1020-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1208-180-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1208-190-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1208-186-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1208-200-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/1208-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1532-220-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1532-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1532-229-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1532-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1576-327-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1680-244-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1680-234-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1852-675-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1852-405-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2000-275-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3080-637-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3080-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3296-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3296-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3352-277-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3528-331-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3528-639-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3552-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3552-540-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3552-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3552-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-348-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3988-769-0x0000013D110C0000-0x0000013D110D0000-memory.dmp

Filesize
64KB

Download
memory/3988-608-0x0000013D10F90000-0x0000013D10FA0000-memory.dmp

Filesize
64KB

Download
memory/3988-767-0x0000013D10FA0000-0x0000013D10FA1000-memory.dmp

Filesize
4KB

Download
memory/3988-768-0x0000013D10FC0000-0x0000013D10FD0000-memory.dmp

Filesize
64KB

Download
memory/3988-640-0x0000013D110C0000-0x0000013D110D0000-memory.dmp

Filesize
64KB

Download
memory/3988-770-0x0000013D110C0000-0x0000013D110D0000-memory.dmp

Filesize
64KB

Download
memory/3988-609-0x0000013D10FA0000-0x0000013D10FA1000-memory.dmp

Filesize
4KB

Download
memory/3988-641-0x0000013D110C0000-0x0000013D110D0000-memory.dmp

Filesize
64KB

Download
memory/3988-610-0x0000013D10FC0000-0x0000013D10FD0000-memory.dmp

Filesize
64KB

Download
memory/3988-676-0x0000013D110C0000-0x0000013D110C2000-memory.dmp

Filesize
8KB

Download
memory/4216-581-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4216-278-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4592-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4592-729-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4720-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4824-138-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/4824-136-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/4824-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4824-135-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/4824-674-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4824-133-0x0000000000940000-0x0000000000ACE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-137-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/4824-139-0x0000000007320000-0x00000000073BC000-memory.dmp

Filesize
624KB

Download
memory/4824-134-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4844-176-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4844-188-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4844-170-0x0000000000650000-0x00000000006B0000-memory.dmp

Filesize
384KB

Download
memory/4888-300-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4972-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5012-144-0x00000000017F0000-0x0000000001856000-memory.dmp

Filesize
408KB

Download
memory/5012-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5012-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5012-149-0x00000000017F0000-0x0000000001856000-memory.dmp

Filesize
408KB

Download
memory/5012-164-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/5012-458-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download