blustealer | f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order 202319876.exe
Size

1.7MB
MD5

09338b623f4473341a54191980901783
SHA1

40c8fca01c37d1f1592dacc06f48b918311e37e7
SHA256

f1de1c385fac0c850ee30233c971a76beee78824500899f5c64db03c70ac2e03
SHA512

03da01911a00993ce7ddcd58a3cb6e185389bc341f8b1bde6c287eeca220cf960c690f91d0442b48f812993750d37dc4da4ce86bf6dfc53d00aa9829a31f8fe0
SSDEEP

24576:+b3IBXM8LcvUtY+FGkacy9RjdMD84XKpJKbJ6byq0TyJN8Wo+uOZakN:WQXZcvUtYRcGLoHvJQb8WoIN

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1084	alg.exe
4004	DiagnosticsHub.StandardCollector.Service.exe
3592	fxssvc.exe
1416	elevation_service.exe
1360	elevation_service.exe
4068	maintenanceservice.exe
3416	msdtc.exe
1832	OSE.EXE
924	PerceptionSimulationService.exe
532	perfhost.exe
2864	locator.exe
4620	SensorDataService.exe
316	snmptrap.exe
2288	spectrum.exe
336	ssh-agent.exe
2168	TieringEngineService.exe
436	AgentService.exe
216	vds.exe
1716	vssvc.exe
4088	wbengine.exe
3860	WmiApSrv.exe
4140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13defd069a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\msdtc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	Purchase Order 202319876.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 4252	2000	Purchase Order 202319876.exe	88
PID 4252 set thread context of 1540	4252	Purchase Order 202319876.exe	94

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Purchase Order 202319876.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{71ADFEE3-430E-4776-83B2-F32638BD7B7F}\chrome_installer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Purchase Order 202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Purchase Order 202319876.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	Purchase Order 202319876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009da01d553a83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2b8b4543a83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c174765f3a83d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038d40d543a83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa1d4f5b3a83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b666ba5b3a83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb88e0533a83d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b690295d3a83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe
4252	Purchase Order 202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4252	Purchase Order 202319876.exe
Token: SeAuditPrivilege	3592	fxssvc.exe
Token: SeRestorePrivilege	2168	TieringEngineService.exe
Token: SeManageVolumePrivilege	2168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	436	AgentService.exe
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeBackupPrivilege	4088	wbengine.exe
Token: SeRestorePrivilege	4088	wbengine.exe
Token: SeSecurityPrivilege	4088	wbengine.exe
Token: 33	4140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4140	SearchIndexer.exe
Token: SeDebugPrivilege	4252	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4252	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4252	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4252	Purchase Order 202319876.exe
Token: SeDebugPrivilege	4252	Purchase Order 202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4252	Purchase Order 202319876.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 2000 wrote to memory of 4252	2000	Purchase Order 202319876.exe	88
PID 4252 wrote to memory of 1540	4252	Purchase Order 202319876.exe	94
PID 4252 wrote to memory of 1540	4252	Purchase Order 202319876.exe	94
PID 4252 wrote to memory of 1540	4252	Purchase Order 202319876.exe	94
PID 4252 wrote to memory of 1540	4252	Purchase Order 202319876.exe	94
PID 4252 wrote to memory of 1540	4252	Purchase Order 202319876.exe	94
PID 4140 wrote to memory of 3804	4140	SearchIndexer.exe	116
PID 4140 wrote to memory of 3804	4140	SearchIndexer.exe	116
PID 4140 wrote to memory of 836	4140	SearchIndexer.exe	117
PID 4140 wrote to memory of 836	4140	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order 202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5048

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3416

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2288

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0190ccfd7594be423d8f3c503620f9ec

SHA1
6ecfb8ae4e0c8f2aad089e5f05bcce8dad14a0a1

SHA256
0507cfe43e2f4da77ae2b03e5ca14a2e49ba5cb6b63257a6270e2c2a63008011

SHA512
9b7e9a6a5cb6a51274a7aaab296481c216b5f4c93a8a8bacf35b39f1d8c3210736925215a3c1a0817d7c289fa6bf99c38dd177a2ab82a60628f25153609b032b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2bd62c8b14c9da2836ce04156bb28df2

SHA1
e47c882b390c3f03eab2603c78a48c064154e27d

SHA256
4691c5b34673f97717e755abcd4b643f71ebefca6291c9fcfd7dfea6bc1e5646

SHA512
9364209b74c8ca84befe882ca0695d4c315f9b1673a9157016105e2f2c7173f940af5207dd6319b6efb4a70b6147778ae0e1e57fc8083344593d7889d4bb0db3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2bd62c8b14c9da2836ce04156bb28df2

SHA1
e47c882b390c3f03eab2603c78a48c064154e27d

SHA256
4691c5b34673f97717e755abcd4b643f71ebefca6291c9fcfd7dfea6bc1e5646

SHA512
9364209b74c8ca84befe882ca0695d4c315f9b1673a9157016105e2f2c7173f940af5207dd6319b6efb4a70b6147778ae0e1e57fc8083344593d7889d4bb0db3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ecaac77b5d5fceefb0491939363ee9fd

SHA1
7dc904a522fccbb505b5a2e40812128c3ab9aec1

SHA256
f3bf4d8079cf841fde79361515391cd58822dc7a64c67c478d828eeae20d416e

SHA512
7c07971fdc9516bde1638d60c143f66a3e2bbfe679e4ffc435625c38db5c4262aa1b694b1035c74894e1c8a492e616005cc00fa7e8affca2867f2c28047d642e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
848b155023d534d8749b3f4b21fc9e05

SHA1
f006dc2830a3c699a4996529f979dada20a57631

SHA256
42a2045fd7be46ab06c34a3a826a60eb79a93e9c9daeb9fedcefbf3314f697e9

SHA512
4d4c76e22fe909d4b92d78d20bed52075f5de38cfd4bf0e984ae9514d22df913e0f70ba6cd1c822f12d8f82aef0f9d2ac47ade76b03eb75eaa42d9ac80587723

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
923322fb7d9030ceec2c253b42231782

SHA1
20097cc71baae1272851d9ed280f5bb1b994f7cc

SHA256
fc4e6f86228688c1461c2b35f27a883e86b7ce6a5cbb5fccb280301687259bde

SHA512
d5c07eae86b01510f86f98fb64d179a2ac730523b01125a502706757e576e86e8b6d6b3fb5da7182c270ae0a8cdf74026a5aaaecf4eeffdf281c41049ffe482f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7ab870373579d0aebe21d11854962560

SHA1
a15f56481b2e7bb98478a8e672f8239a6a30c480

SHA256
dae793d64f0f8650221bd92f0bb39489f1eca757a2a495ea5432128f9c348225

SHA512
b34ee914c5daa794c0584621458052e449cfd31382a819916eeb8a9e10b6643ad3a9123449a77ade145d7aaf90d4d9ce4408d55d3b0494f84bec1e3080f83e56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b7fe23945091ac1e25fe3b12b9750a6d

SHA1
0e0c0e7072174794b3ed6095bb89dbeaab2f89c9

SHA256
adcca0e91cf00cf333c3386f469dfac72c1a530269cc2efde3c926d7a9819d17

SHA512
9818fc0190c82f013fdf7aa191c6f0fe3e4f4381f552a5cd815537ac73573d97c90d170cb8989705c37572326bc7095b2f5b15f274ced6de853b7ee20dfaed1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5cc4e8781cfdb406bb3a3d15579b18b3

SHA1
4f226c927e176024215252379e3fcb4aa9178f47

SHA256
d304b6ca55a4719d4d1b438f9f9bb3c427efcd8ab441ecd20f88963214df0cbb

SHA512
a27c07cb81cd28bfd7e3b80d1b94a7805fdfc8c503e0d9aa43cf18dfbdc499c2a700ca6a85360f96966726ca3c4e493f8dde7a5545c95c8028659d9967882b91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
100a0b2417b6c6dc2d62fee2e6c20b93

SHA1
d61b6dca69ad9d4bd2a011d10c3d42835252cc31

SHA256
86792ea285f3b0bca76c0d81daedb226d4146156a327a0b2d5bdba00e926ab83

SHA512
a802b1134b96164f51566b75533b2c48526e84883c6ed99175280bfbf5322a281c57586502ab9ff5e622eae45ce3b08dd6d7d2daa7889c49a0cfe7327f60742d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
8.1MB

MD5
9521a559cc032057962a76ab358a2837

SHA1
e5bf8750f7c9d08026376a39ea478f80f70d91aa

SHA256
3b7211a962261e9d64f5a5885048ce668c5f70558a9322888fcebad3ac9a90b0

SHA512
2716d0c5e7cd7ddd990e453766f50ffdfb10ac7adb1879ed87bc1a4e127a2ae908ddca765a38181568dc1f668b41c6bdafd0ae9efbf10f389e480f1204449239

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f1bee28a49fecafb65b1461a57d5bc07

SHA1
ffffaeb32d0f7be05c2b840be099b219f02abd08

SHA256
0e79294dc05a9edd1195e7b2f8313c6e901ba4aeea61e9c15d8ffdda5b456e0c

SHA512
ad644fadc5536f16aa1d4cffe3f62c787413141607982c3424fb26b39942d6bc4943f69e88e1440012a046cc2b4298b256ecc19f60b38ad0e41d26b31767ba8f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
543559d72e88dadd10f863599027cff5

SHA1
79e8cec170d0232c7d0b429e900cdd2eeb216931

SHA256
bd0528077a4fb40ab5aba1ab3c53bf5576354874e32939b08cd2f35413265555

SHA512
cb7bf429eb266a7c4ea9da334567270ad2b426092311f00c7a41a88e7fe75ce51db940b15a117c7c83d849905fa3116e5b7c53a44c893e4f7a2cc9b49ad255ab

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2f58c53c4b17fdd5b5084702bb0dba7f

SHA1
d71c7e2fed1e32b75026fb708c009470c3f61203

SHA256
ee75116ea5719e0be0516be2929e9a3b8b7a6e10632be84bf28e7a7879ae296e

SHA512
a9f92e90dcc10c7834da84b187a51d825c1fad5fabebb3c77821dc7ca3189b78ca30cea2a579fbc6400c74c57ce1a30c25f612e4b2f384fe2e24cada6f75226e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5730737c6badf49993e32ea6a4ea0a76

SHA1
5cf392647a4b177307d41e10110f4661e3b534d8

SHA256
af7af01cdb34bc6234425555b12425d18160d8ff142b485c617f215279de62d3

SHA512
f4eef48a7a6fbcb05689c0a890fb322d3fc001fbb9288105c76315ce80429009b923836e65a896b18cc0fd584699d9d5dee993a02a3a3fe2711cbfa4cf7204dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
2.2MB

MD5
55d11234eec45c0ea00616678e64a15a

SHA1
3bac77989e0de1e5d3ce3f774f0f1b6451e94f97

SHA256
05670c3fb53eff564d58713296711525b4aad046ed547fab8e9af0778d6a17aa

SHA512
2eced2fd6ed47c539a91b9d93fc79b58da71cee4f79138b029313050ab8f93e79615989508e3c2e83af8d84693aae201a71cae8f07ded6d02eb1207545e7a12c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
b09ae8941b5765a87e2c704e7b6a773c

SHA1
976f7b842542b0b16448dea884a41a572bea9c79

SHA256
906cd387111859848ddbb3e1a73c642c431a51cfb84f05ba98461a15cf06fa4f

SHA512
6e82ed3467c2ace7a5cc22bceb5196dd7d0a566a303b977c469881a0a426c4d6d93bb04577bb9f75025e65e5df363789f13819ed82cdd8b038ed9cd8343e1972

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6d09b2b87a3a3308b755e881ccebf1a8

SHA1
b04d2848c3ab52fe3ce9a73d3ea66bd15c2fe777

SHA256
a4d70bc4bb1b28aedf399f0a167eb6961acecb18bcda8ac14f86e54dce5eef3c

SHA512
ab8ff34c77bb3c1af1bf3609344736d9b23fae4ddc606938e970eefaee6c08fe6d058042c3ea057ba904289b5fb92e51ec85647e680638a784257a1570a8c592

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
686b3d63a568ffcf0603cdab17f1c406

SHA1
dbb84452a4c41d1e6b358de24c7466eedb25fba3

SHA256
c3f40dbfc45f1fc9689cb33ef5abf0730fd17531831c89ea2003faee5e0a7a8c

SHA512
00a7acf0b7d6d4ace6cd237586caa03ddd078a7e3912aa1d397ad0622d0c33c8594919c5e8edd816c79b1522aa85e5e6771b7d6851f034cf36324587a1104039

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
03c73bad7144e96741c602012799d893

SHA1
de36981f827a53826cb1e9ee46c048c97bd5f44f

SHA256
5651642acb670fd110580a8f0a5c8123a09b59d08af4b3f299935adfdb221dc4

SHA512
a566b527928a00845d1362844e124e193b62905da0c054f349894707e57c294f564b1d30d1c4faa8b90a938a5c5b801c0fe13c9f20f8cb948de7498c350defb5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a02eb7fe10e0e3eebcdebf70db67dda3

SHA1
68d30306c590e13d19c887023824050687d39ff7

SHA256
0913133d0d4b204c08a75ae8ad2b5818c403365641a8c5e3a2ee3ca88d380ea2

SHA512
467b8a976c5d9ca81e63bc9f476462d3af3a14a6e4e8157dbf5eaa2aac9752b1f40896adf1c9657b632af15e1b28e2a11bce8fd68f0243b1acc057f2cd0167dd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a1686a0493d3f83ef615588f8656a1aa

SHA1
7f8470d489f5e7434eabe3dace50ff793aabb155

SHA256
d6d5e7dcdb7ed0392492b68198d00377f0dbcfac7fefcc6ff2e5bc5840ac971b

SHA512
21df630175416417fc132df89ad7a9f903ae734bf68861e70493be7f8d5779aa1ccc52e2f9730f0eae4246c4135adf23b2c61144a39dca0c5f40a03c928f2007

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
814241b6f20623fce56e0cb8880eec32

SHA1
63054f9a3b0b15938af2bbb95bc4bce5da5fd16f

SHA256
8454e30bf3940bccf94b6df36660776084680da1be6338d613c86a96f879e93d

SHA512
8871269518da588459587f9c084d7f1d3c6612fd73b1e4ae53ac35db9909f47fba16eb5f11f2561502532ab34139dd916fff492de0c2f97d76ea180f5f232bcf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
42e22badd37f25459bc4ea26343ce7d3

SHA1
8f198003250508c4954341626dc5cfb5e52baca1

SHA256
e92358f6ff73ad60eaff59d6e1c3c8848193e3795640f3cf9e826efec8d49bb4

SHA512
872f171085eb7f10825fd3dd53cbfae5b0fab15dce1386c80b9ad89430b5468f9da9ca60377384082bd79141a2f040297d57b0b06afea6c404f125f829c5def1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dd519c08898ebbdcf8a67264f77b9976

SHA1
89f3c375be5621e9313147ef7eb0f0f1a945c266

SHA256
aa56f53eb74203ed291d968a5b8f77e37fee8983da80e7ace293edaf9f830020

SHA512
48de9c7d94b3a13e2a75f2708d5aa013a1697a1f578f6afadf8138e3a9a1aaeceb342a10aaef9c0c3cdd963239840f66c7c9022e3d9585fb3815d85e8efcf8cb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dd519c08898ebbdcf8a67264f77b9976

SHA1
89f3c375be5621e9313147ef7eb0f0f1a945c266

SHA256
aa56f53eb74203ed291d968a5b8f77e37fee8983da80e7ace293edaf9f830020

SHA512
48de9c7d94b3a13e2a75f2708d5aa013a1697a1f578f6afadf8138e3a9a1aaeceb342a10aaef9c0c3cdd963239840f66c7c9022e3d9585fb3815d85e8efcf8cb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a5ea19bb8641be60b02855e5b6a7737c

SHA1
106dc299c893d1c72b83daa5eadfa6dc392c59a3

SHA256
ec817031c5d60f33384155a3275f43c125d77400a290cc60236f1f212380d883

SHA512
462931d259b91a9020af477a180113ebbd2a742fbfb03b58e201dc4847eaa1661c9d9b3bb4c3ba068387f0bb15ae0bca060a7c917923b0b633cd43b4855790f5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66b7e5e56c4d167cfe5ba9af234baff2

SHA1
dd6424d4a6ec57357990bfae39a4bc268189f0a2

SHA256
321915234a267e309d3e120b76270332881b0496be631ffbc05c7dd365c2ebcd

SHA512
ef63f51407e7fabbcc3bbcdeccf42f002ed05c625b2a45bb9848e561d4ba074cc8196d247b45e4e0e640ecfc21a12b640a5c6e773595b8c295a946c5712d32e0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
116c13dde87e71fd483187fd86a28923

SHA1
ffb4f32e604438bd01e80d6cb02fe7d8bb8153da

SHA256
f1d5b3758d95c29f2dbd1f209a562148a1f4ee2d30a15c63463e2ea2e2d1b964

SHA512
033d0618e4a4cfc4254d3783f2e1aa50c42d7d48f641d6db3c6c9ffde51b53a6ff03860de63ff6e1c5d1849c771cc8f8732429de4c9c45b99a0cbf6109a9c480

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
116c13dde87e71fd483187fd86a28923

SHA1
ffb4f32e604438bd01e80d6cb02fe7d8bb8153da

SHA256
f1d5b3758d95c29f2dbd1f209a562148a1f4ee2d30a15c63463e2ea2e2d1b964

SHA512
033d0618e4a4cfc4254d3783f2e1aa50c42d7d48f641d6db3c6c9ffde51b53a6ff03860de63ff6e1c5d1849c771cc8f8732429de4c9c45b99a0cbf6109a9c480

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6bf2b69427c181844b616a06d2bae6e0

SHA1
fe55a8f905d1c7343fd820be7da09b928a607b4d

SHA256
1b7fc3ad3c83af97f7a73eaa7cc2c37e72828bf5ea17b658858847d3cd19dd47

SHA512
488c1372d8bc73de05de4d138d31c82993d0bc5634266acde4623afaa2f0663d788b36c74b017e39306115b1a6f94140da9f79964306dc6c62d0eac33ff57b7a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c19b95a57ccdcb4a999fd017882fa923

SHA1
f69741b0c61494334f712db1424abdaf7dc1f8bd

SHA256
bd3db0142516b285b25c6f701b5280ca74b0365467abc0a68ca49a5a13bf9044

SHA512
9d58f93856fbd4c8865e8c24faa6d0b2d28ea778fe89d43c40bc1f88aa096552f90b7b7516268222e7d040daa0fa4206800e46232b0f01b9e9494066de85f168

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cb374d10567d2c2b12fe22515d293b76

SHA1
ec737286f656838b71686f0922e775da075fc195

SHA256
31729353c554330fb0330e6a983fb3617805f01839543ac6da0442f6560758a0

SHA512
847a742a3a79cc8500e552a47604923630c0cba005ae6e5360c867c5fac72db156543b6a8435a986c3aa97a0b04d1fcbd9b160118e89034e2eeab0745f624aa9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4026712763f301353e4b28c89a776b0d

SHA1
7055ae93861ed60dd1c47d85eb6f51ee72575aab

SHA256
f7758fe1b5c343ef7727598de2b4884bed8d81414f368499656e5deb4329f8a7

SHA512
fcf38581d801709deccfa114dbec11f5a73691be1745a884f1c9e3586e0cef466a5a179b6ce0c114741597697ede93207def9c1c03a8970dbd5a67c1f1ee4226

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
8b69244c5931e9bd478a3be0c3b453d8

SHA1
51231f1dec9ff8f433297e328abd09fc6a5be2f9

SHA256
4a9e6e5c2df79ff0d63be1d010416b0bcc440c1b5b64d9ef003cc9a64c3aefff

SHA512
55655948251cf8ac152256870884cb530d938e3cd55100c50a6b8ec338c799cbbf90f9206bb1466c148b9d680fabfc869a25ef8d00752a2978558a64223f46a6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3cfbd6d075183aecdb7349cfa762756b

SHA1
fffe2bed2527654dd0ab5268778581f3f4fe9880

SHA256
5e58bef77c06a5164e7da4e57ed7fc0e09f818f8b5910936b628baf3944c055a

SHA512
da9b3c49c04873c1ceef1ea5268d32b7c520bb993af0335342e0db23cd39a20c87ec496c3a577c1d4df7ffc9140aa98cf989ae5d77c918419d372cfe8c10ac69

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a205f9ad43ccdcea02ecd66d68623021

SHA1
b95ed6ef52714897ab7c7333ca56646cd32ae040

SHA256
0777a54efa3b2bf13ec3a0e385dc232c9350d74150bde466b4f9f61f944b4e77

SHA512
a5d5223cd6ff2cf99754be583e45d496a722a96227de8bd1f20c24d92c4649062a3ece429069ed92a580fd3850d90239376653b30b8997ed3916e727d08f73be

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1ecabcdab6366fe4777ef7357c1369d1

SHA1
51f4eab28205967d4d3dbde86f71c0793bb2a677

SHA256
ee4fd59f7c5e85cea7d5b427d0476e055d5275f4b92668d647bd83b0c99e80ed

SHA512
77eb56ac188b4c4a8fa440ea26bc5331c8ca87ba122ea2d73d6d3e583164bc3c47deb2e7cb4f4541ce5ba0bcdc8f85f5720acb11bad101cb75e2bfcbf94309f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c10c9354b0409ece644bf4411785e7b2

SHA1
9635d398c60ccf0d30ed1e432f22b6ac2027891d

SHA256
d8cc25f43e2386b44fada33a86213975b7c43754f18552d67d03b1bb4f432e4b

SHA512
e02d303aa0677e51a1e6591f618f9ccb6c989f42238b44d258ff3edfb8ac97c6fe9bda257c07bcaf1bd386de22e1cbd83caca85c8f73b715d7e444c8c04f2b54

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
a02eb7fe10e0e3eebcdebf70db67dda3

SHA1
68d30306c590e13d19c887023824050687d39ff7

SHA256
0913133d0d4b204c08a75ae8ad2b5818c403365641a8c5e3a2ee3ca88d380ea2

SHA512
467b8a976c5d9ca81e63bc9f476462d3af3a14a6e4e8157dbf5eaa2aac9752b1f40896adf1c9657b632af15e1b28e2a11bce8fd68f0243b1acc057f2cd0167dd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
00899bfb03359dcd43310140cf5f6680

SHA1
304bf8e526ec8377f30db1a0e4f60989bf4f7e85

SHA256
1e09fb7350af22131a596fb15853e794ede8d7ed72c9acd7edcabdfca0ea775e

SHA512
ca84e262e7c5b31b9a6c1ea84f45fac6de79bbde1cebe4bfe7f3a2e33e7e502357870a5e61b7eeca58cf98181f592ef380bf3afec36ab5dae1ab6a9e39e2f5a3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6ba16bd994643d9d64172b03cfe0fa3e

SHA1
982fa431f90e9e4515874f03b6d271220be88fe2

SHA256
6c77a52a9b8d865ad2fdba3e8188926a3e9bbab68eaa61011e001e2cb3ec244e

SHA512
f6c5353ffa596fb41169410de0f48441c6ad178ff5af9f0a1f4315c0a67874a3bc56f28a9a458094220140f283b057c5cfcdfe43a29a5d9fd3d53c921c891171

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
814241b6f20623fce56e0cb8880eec32

SHA1
63054f9a3b0b15938af2bbb95bc4bce5da5fd16f

SHA256
8454e30bf3940bccf94b6df36660776084680da1be6338d613c86a96f879e93d

SHA512
8871269518da588459587f9c084d7f1d3c6612fd73b1e4ae53ac35db9909f47fba16eb5f11f2561502532ab34139dd916fff492de0c2f97d76ea180f5f232bcf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
71770669417a9a640d1dcea952bce8db

SHA1
876fc32cc5b9a690d1034b85b2c3e4d4699e2d38

SHA256
75cb4513c1e900a064023af8211530f3e8b44a116557a6572c1034778c071ae0

SHA512
282a0fb81353b9ef5318806b479853bc8a1d112495706d6cd2285023b12cf69aeda2e508ff2fca2d07c4e5ee1c20225b7275e8a200c3a17f7ce8f5422f692cad

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
9e3b469e86ad32673ecb7a2359918eff

SHA1
4ed0d5d72269391e8bde6e35d3dbf5bea1e5e3b5

SHA256
3d69e7af4230608ed666f848685c8535134925ee1527f42295ee4f1124bb636f

SHA512
0592b169e399c8ff397681cb5414fa1415f7afd2cb506c5aed7ea9f67c3d380b7a5e81629daf1002d8f87fe11bae8428c1d17769a34ac20e1d1ee130ba53b2e8

Download Submit
memory/216-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/316-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/336-347-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/436-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/532-291-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/836-669-0x000001924FEA0000-0x000001924FED3000-memory.dmp

Filesize
204KB

Download
memory/836-605-0x000001924EA00000-0x000001924EA10000-memory.dmp

Filesize
64KB

Download
memory/836-800-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/836-606-0x000001924EA10000-0x000001924EA11000-memory.dmp

Filesize
4KB

Download
memory/836-747-0x000001924FEE0000-0x000001924FEF1000-memory.dmp

Filesize
68KB

Download
memory/836-746-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/836-745-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/836-744-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/836-668-0x000001924FEA0000-0x000001924FEB0000-memory.dmp

Filesize
64KB

Download
memory/836-802-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/836-801-0x000001924FEF0000-0x000001924FF00000-memory.dmp

Filesize
64KB

Download
memory/924-289-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1084-372-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1084-165-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1084-163-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1084-157-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1360-213-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1360-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1360-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1360-469-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1416-198-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1416-192-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1416-216-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1416-468-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1540-199-0x0000000000940000-0x00000000009A6000-memory.dmp

Filesize
408KB

Download
memory/1716-621-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-376-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1832-251-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1832-558-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2000-136-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2000-137-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/2000-139-0x0000000009160000-0x00000000091FC000-memory.dmp

Filesize
624KB

Download
memory/2000-135-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/2000-133-0x0000000000690000-0x0000000000840000-memory.dmp

Filesize
1.7MB

Download
memory/2000-134-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/2000-138-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2168-348-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2288-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2864-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3416-233-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3416-242-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3592-180-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3592-186-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3592-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3592-202-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3592-190-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3860-622-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3860-415-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4004-188-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4004-176-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4068-219-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4068-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4068-228-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4068-225-0x0000000001A20000-0x0000000001A80000-memory.dmp

Filesize
384KB

Download
memory/4088-411-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4140-470-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4140-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4252-145-0x0000000003040000-0x00000000030A6000-memory.dmp

Filesize
408KB

Download
memory/4252-144-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4252-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4252-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4252-150-0x0000000003040000-0x00000000030A6000-memory.dmp

Filesize
408KB

Download
memory/4252-344-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4620-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-296-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download