blustealer | e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

1.6MB
MD5

c7c88b125e27183372fb3d59c959f637
SHA1

47da39de6edee6bbe9680d830e8f64b7f3fccf3a
SHA256

e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26
SHA512

f6beaf1a6e4d8fdde08fb44c90f93c75c6f88bf04d35a90de0711a683c4a19cc82f0e846b038af4b30f6e18d5905d6006de5e00dad5cfd629d673dd81015ed63
SSDEEP

24576:04LpeAT/4TUmBmsV7ckan9wLb+mkA2NffoYF2zEg06nLnH8b/5cN:ptADBmsmkanaLb+XJwS2zECLH8bI

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4648	alg.exe
4896	DiagnosticsHub.StandardCollector.Service.exe
4104	fxssvc.exe
4720	elevation_service.exe
4264	elevation_service.exe
1896	maintenanceservice.exe
4508	msdtc.exe
2148	OSE.EXE
892	PerceptionSimulationService.exe
2668	perfhost.exe
4820	locator.exe
4832	SensorDataService.exe
2548	snmptrap.exe
4744	spectrum.exe
1080	ssh-agent.exe
2772	TieringEngineService.exe
1348	SearchFilterHost.exe
5116	vds.exe
3360	vssvc.exe
4660	wbengine.exe
1840	WmiApSrv.exe
816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2.exe
File opened for modification	C:\Windows\system32\locator.exe	2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ccf30f029a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2.exe
File opened for modification	C:\Windows\System32\vds.exe	2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 3224	2084	2.exe	90
PID 3224 set thread context of 3044	3224	2.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2d581d63c83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000295ff0cd3c83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000384151d73c83d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6fb4ace3c83d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b6758d73c83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056d9c7cd3c83d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000369486ce3c83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9c876cd3c83d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002fad1cf3c83d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	87	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe
3224	2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3224	2.exe
Token: SeAuditPrivilege	4104	fxssvc.exe
Token: SeRestorePrivilege	2772	TieringEngineService.exe
Token: SeManageVolumePrivilege	2772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1348	SearchFilterHost.exe
Token: SeBackupPrivilege	3360	vssvc.exe
Token: SeRestorePrivilege	3360	vssvc.exe
Token: SeAuditPrivilege	3360	vssvc.exe
Token: SeBackupPrivilege	4660	wbengine.exe
Token: SeRestorePrivilege	4660	wbengine.exe
Token: SeSecurityPrivilege	4660	wbengine.exe
Token: 33	816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	816	SearchIndexer.exe
Token: SeDebugPrivilege	3224	2.exe
Token: SeDebugPrivilege	3224	2.exe
Token: SeDebugPrivilege	3224	2.exe
Token: SeDebugPrivilege	3224	2.exe
Token: SeDebugPrivilege	3224	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3224	2.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 2084 wrote to memory of 3224	2084	2.exe	90
PID 3224 wrote to memory of 3044	3224	2.exe	97
PID 3224 wrote to memory of 3044	3224	2.exe	97
PID 3224 wrote to memory of 3044	3224	2.exe	97
PID 3224 wrote to memory of 3044	3224	2.exe	97
PID 3224 wrote to memory of 3044	3224	2.exe	97
PID 816 wrote to memory of 3748	816	SearchIndexer.exe	118
PID 816 wrote to memory of 3748	816	SearchIndexer.exe	118
PID 816 wrote to memory of 1348	816	SearchIndexer.exe	119
PID 816 wrote to memory of 1348	816	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:540

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4832

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4700

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:1348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3748
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
49f74e96f0f5c18858c1f20304a7819b

SHA1
008a01b84754916ff087e6e20b40e59ee16744b0

SHA256
bf96e7b06ea2e35283f5e319c5a3cc56388d90bc189fe2b6d580a73478cff83f

SHA512
7f482faf654fbe5eeb76758e0fd6fa481b45537bb7e2d5b96c2918d7c12c49b81f8e63cce3f7a62deac67b57466b31c71b6943fb8bed619957e84dd28360fcc4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
877f689a847d47f888cd9bd03b1aab4c

SHA1
e2f479f288b5a10bf4c82bf7a83b7a67a564cc24

SHA256
2ca47c1af7343b8f24748f83421c1c10f6d660abbeb0f031e333b992d54940eb

SHA512
f9690ebee675152098e6fc00e830c5b4b03feafa40fd1a93f084f31fe7ae522dc62460cec065f53a000cf8675423fa92b17208e7f291cfdb14fe161373d94401

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
877f689a847d47f888cd9bd03b1aab4c

SHA1
e2f479f288b5a10bf4c82bf7a83b7a67a564cc24

SHA256
2ca47c1af7343b8f24748f83421c1c10f6d660abbeb0f031e333b992d54940eb

SHA512
f9690ebee675152098e6fc00e830c5b4b03feafa40fd1a93f084f31fe7ae522dc62460cec065f53a000cf8675423fa92b17208e7f291cfdb14fe161373d94401

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
76707b92e03a2d6680b2b6c1f139cb61

SHA1
bfe3015a8da8dcd58830104b6ee0f0f59afb8fa6

SHA256
79c2bac7abf0504551169ad25b9383df9850627a2186d8b21c7fe766ac76f47c

SHA512
f9747b500df558ba015b97652296a712be1b80949704766304f71142cec542d90fd91c7124ce302d5830f5eeb4511dbb42a008c2bf2fdd05c95eb192140d1088

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
129e852886614b07d2000a12b1bdf650

SHA1
f0b4d6241bb3ab77c4955434643caeed35364888

SHA256
c98629d6ea6a843507d5cbc7cd2eb44ad41c94a5b001a5f4e9525175d208da3c

SHA512
33f4c05879da5e5b53e0881f365c2a0dbc553f6bfac64f79d3e336595f86a3bfd3b3d8596f1c833a6cabb6294bfe27027543e35261cb884b262339f8f8aace23

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
c2021e388884476c96c70b4102d0c404

SHA1
451ac0452f7faac5ed1a3381e972e8ad1d0784ac

SHA256
ceec9eab4bd86d7b11a2c2e6c3643fa71ffd3919ffd6a7f621942f324afd4a80

SHA512
82e9f5ed89e004e5c060b66c22a7ae1d9c82388a3e4a54fc7a3c4d1e4578a82b9c90a7bb8eef944dd303910b2a490ba69b0b38e946d7fd77dc899a9a09cc6ffc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ac83380194d6d7741a886e9f111a3fe0

SHA1
407e14087a21f783ad97aab938c9a5f9f48fb0f5

SHA256
096fa0c9852fcaad71992d7175fbdf6c4a891de87663a0bf7e34afcf5edc3855

SHA512
31479de0f55fe4831ad6f80a8174d02a32c28c0e370f70bcb15741fd3bbeed4c331dbb731f00577c6ef6142f00a5e5bfddb4c4f72f15961086a56fd038c310cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
826d5d39b1ac3e9c3a2800ea9816f185

SHA1
a1eec93c3922e32418adc4631cf6f7dbfe4bb409

SHA256
848fe15b8ac83d8f373f7d89d757a72a470fc6c2824af5314e98c1f413957f92

SHA512
aba9ad7cfed9b908f7101237fb1d16cd60443b8cd4ffc8a4bdd3d2ef52073e4cf13033215a27656e32c2b877f3838dc8749fb5b5b51442b94fc55470e539cb5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fda83a0a260cc580980dd34a839b7132

SHA1
b22ef8907dba8752bfc303bbcd65b687cb4225f0

SHA256
fb4daf99158e48fb930d16ba5567236fab99a65e7c43cf8ff32f2aa7d31b3f65

SHA512
bbc3e52af0530408892f306e4bbb957633f97d191641e0dc91d56bc6c358999bac5ee5ed5a44a65873362063ea75a08e7545d94c2968dae44a81580e610860f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
48df84e0d64b2b39e0c765491fd9832a

SHA1
3ab3399e9cc3c45f3be8fec34e7d97fd2dc72e37

SHA256
2365b2e8510cf1a0399e22fa9b7b74da2e2c3e4a77c43aa4cc9840dc2d641b53

SHA512
ae6f7cbb05ff55b3282457a6769c81d3ecd951262afbdb0240259b085053a8fc83256a3ed26682be9971ad7da4e40355d7de599f5e799468a15f8bffab03a863

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0650159476a291b1a18997e302d04030

SHA1
a0270ec691fd2abe87e34a8937a706b8efc6bde1

SHA256
ef07230185ce7cf633ce1921894e854dc732cb519be4cdf23ec56b18438cb1d0

SHA512
b5504b9d82b6f3fd1166fe17a92ed5714321e4b6b900a6c30d2ea0dbbb1b074c8fdede0455af09708fcf12a83a2526156af073c5865412bb723ea9ebf6d056bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e9629faf4933f11afbb39e19ebf0a885

SHA1
bd64977ddddcf0a42c2ca57d7d61fee3478599dd

SHA256
6956848ffd71f485f003db70eb47be6df8aabd69b1b07af0ed8247e86afa10af

SHA512
2765709cf5c0556305edf9e9c8ae35a23d61ca1c6bd0849c7eb9a2f318ab8400612efda675b9d27d52e719a84b3be4a5398f1d1668caf5764d6197c1c5dc58e5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f5722eadff39d0940054088406262aec

SHA1
637176d265acebdb43ddc5a535c1c5149b4e6229

SHA256
8a1c981f26e60512dd954d925e5f93df1d1b80c8f8bab7f25f8972ebc87e2252

SHA512
d6ee8673a5320632d832e89cb854a87290ac6039197476cc2f10563149575d1348c15c21f56bed8eaa9328cfa5092eaff7fc11fbc33fadf582e6889db7b999d1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d193e046083cc2c0040a49e9e951745f

SHA1
8020e2006503048769b51fb125c2c3b0f76d7e94

SHA256
cac9bffca705b94387bf60d655fc00fc637d38b48ac51762db47b208295f68cf

SHA512
45d00cd4abd611219c5d4a6a955b1a265e206d6e4a2f60dca4612c7bd34879b9b59f7de17248bdc3923a1e556e925fd0c4bb963064f44b5b56f8c2cd41cd12b1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
44d52dc0da38f92b325454b634729a67

SHA1
be849722dde8da43a116c3626761b65790acf33b

SHA256
95ded7a7ce6f4fc3ba079fb08b0b5457df62a73133c165c39ed1b839d4ef26eb

SHA512
ab33e00249b5e4b1eb3499743219cb7ee6b9d2bfcc34faf01b65710a819d1b7284b0b5d338d38d005338a7b0574bd73321c44d64b277bb5752363dd9bfdb610c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a323c82e9d85eb5ef0833cee60258d47

SHA1
3ef5324a4b38e845f57c879f000b592a28bb4064

SHA256
8f6f35e1f810c171e02d7f7be0cfeb3e585196480d9bc65dbc981830ca65b787

SHA512
cf6f67113733d75620222014849fc2e19e2d89dbf251da49ac9f1354c8fdc58c6a9b9b603f744e076ccfa9e7e5fd88274dc976cafc2023f4b3f734cb5b6ebe94

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1691791de9f7d74e4f4bc41643ec769b

SHA1
98a8292857f998d7a3b060402ec0683951467638

SHA256
7b8cd2004f2df16021081837c09df58bb698a07669d3362b60470224fdd5362c

SHA512
a193c7271db35e00fd144a4d0bbfa2a21c007b64cb85f4e81f7bbfd9f22f2cc171282b40208783e8ace01dbf7b792f21dccc8123853c6bb5ed101115c3a67cc8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
1b8a1e91031cc67fc9e5a16edab49c8a

SHA1
813e2721b00b40712a19e92810ca349dc52bcd2d

SHA256
4da82d34909b34357ead34f8068daa509c159f267aacc8f5ef9883aeda343103

SHA512
07e18f1a7d6ab037229f270fa08bb2f23824967aa16a961cba1c9f4c562696c51b5e0efa6c5c3040816231226eeb3389c543c99295a07f8d9005bc71aaec5376

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
10628ebcfa7164146c94ce46efe5d668

SHA1
544d8351ea39620696426f0e7b2dea9fa44e7059

SHA256
b1d7f15d4bf499d165befb5476565fc5a017fcb1785d5979e0089165df703132

SHA512
c72af9976deea4c99d65b127e31009aaa6e3d2e7429237feac5fe70aad21784f05fb40e2f135f8e35ac424f4f0b54e3696ee01fce34087760fc1d0922d0e8672

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
c062c563bf88bfe39470eb8ab6c842e2

SHA1
a3e33cfa6ac8c20ba39f24daee70861fa40d1efa

SHA256
dce0b07950cbaa11c722300bf56f3841691aeb91de08451cb8e735979cb115a6

SHA512
63c9cb2a898e34647797d5614b0a7a08b4f7376027ff88a676e053e3fd0853893bc5135471170b007687405c94afb1c67ccd4e623bee3a5aa3e46c593af424ba

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3eb9735872bafd3d3f25a796e3382d3c

SHA1
fd0450b8ba959719dbde9b04cc9492e2cde19f0d

SHA256
42dd8f971438904d9e37e120b92bd3d41f3c11c9bed92828120b831a5c2ae868

SHA512
a5890699cf72ae423f223804f369cf7cb166d0d68c05e516a3b5efafd599cb90595c1a9a82ab0d3ca53728f9709d40e4fb5589ffb546716de0ec0a49b473af4f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
ad5f5d41d9389305806772e89b239413

SHA1
fb4dacf7f0c12100e9a8ec9d8845378cb98d475f

SHA256
cf9c2f6d65ab4ae9af5b60e2465945ea2dabc4c3dc250bb3ca294d03a53a1789

SHA512
e8b697227feae1fc2125d0e367a417dbd183b692368666144a4a9fc525a85a42be6e76adf88bd3d3ad9edd0e872edcd951f57a4edcce6944954ba0b450c1d008

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
a9bff549e016f20fd4580856c570abcf

SHA1
3d76bb81d482eb87b033689d70bb88a7e3e4853d

SHA256
4dd9dd2535dd6b3b63da02e4faaab9ec784fc96894862f02bf5f7371ec58459d

SHA512
af68ce4de763a0de757faafb74a8e0a83c281e410d671d80eceed6be8f4b11d7dfce138a982201a1cd5bfa959d262f6d50bfa330201a6211d5c1088c2b076d0c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
cf16793f8f22cb429ca40d8df3dae935

SHA1
22843c941723f96faa4f26f8a58591f8d57c7654

SHA256
3b2ecb67ae73abc3dcabaddac0b9398da988c61737c9b533158d182711266fe0

SHA512
5bc41d55907a5967dc7ef3d5d6d5ba2a0999913d07fcbef4f0559bad20ec25ff17aac36a9efcaca28115f0e55e18e8a7f38698b9a268d86a6a8145d4c165fa43

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
358d43bfe6079e3d6c5ef3906534d4ce

SHA1
d27a26daf6b3de17965cf24b6a5603140ce22e55

SHA256
0b31cba6a9f7c659ad89c497b192dea00d45f0ecf5d5dd25524223f76161ed00

SHA512
3523b671b1634fe239002734231c59888a23cdbe14d5d675a07055222d994d7cc5c727961aebf38dfd182d1a2055005728f5b16b1196fe1a7970d7f68687bc3f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
583f1dbf9616469b1b735ade905d10df

SHA1
6b3dc5a574653a9da2e7f7afff1ee5d24fca9f2b

SHA256
018bb3138fb967fc5a9e2f6f61ab0c0ab8924bf980d1ad1ad1893ecc2d1da784

SHA512
eee2d2c36e8b7f32fdc3482533ef99f5942dab34d6da3892548c6b2b3dde8d1a3f7dbeb8d7e3eaa0736f6c6260d933841f2329cd450209f0c866823492381e65

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
a285a0035e1a1868f3292473dfb56363

SHA1
40550f3cb1ba3ce3ebb8c16f9b4888ff1f793a70

SHA256
4615bc805e3ceaa2df42b012852ec148475bb505e0a90e94b1fd573c6299fb65

SHA512
f54957e567741a25e3dceec91f8fb8ea9f04f47baf1717c08e5ebc8b86bcacbf9b3fe60ec2a45ff26435d09ca2cc54455a60a921e2a0e141e787fe4f55aabd30

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
56ca5ff3f7c0b833a562126c4d439435

SHA1
38d17d46e865274c24f9a85c8c26d6fe3c342275

SHA256
c7c208460b8c20940bfcdc6895097e5804b737a659c2b046df9091b3364b8521

SHA512
e017a4321beca1663d20dc739c1bd8abe3ba8311ebb7eab632994af9267de34c8bc9284ceec6acf5686b4b26374f4cf4260e1427c7d18a7d8f87d00064bdc4e3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
82b4f06ed77d1c8344c7635f11c5828f

SHA1
8122013a49aecdff4e75526a042692d3d29601c8

SHA256
08c33387bfc4a3483ce37e3df08559d994fefbf703e47bb5625660e16e0b6913

SHA512
1109ff1cbf1ccc5aed8cfebc3bc6b252449782e449f1e088839a9d0319772802896e0c2a17095c4d5f9ca329b35d28dc6add613efb29682bb4e8491948888c5b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
505f497ac023938cb1a73265c31db51a

SHA1
5093534619671c33fe39ec81997d4c4a2098cd0f

SHA256
2dca093203783398e2bf0db11d97c1e9e48b83b8b5f4459e73f5465e9af6f65c

SHA512
f087ebb90d9a82b2dacc18401e3c70e0421e9358087aa6905172123a69ecb38656fffdd53d579371fc421012d2fb61773d27a7dd0a627c91e5e213df891c2dc3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
fb0f1c46f6a11751d46cc36361747996

SHA1
54cfda9ebae3f916942e528b2e073c964f08a44b

SHA256
9d1139a6db9ed70a4a913a370eeb6d9fb5d75a9da8eeaef210597f1b813dc288

SHA512
8e165fffa88c5d1446722900f9c92b302f00f752482c7ce32d82fc92a8f61e8e986ca3bd7f3d02a70c5b9011fb69164837cf987986fa50d17a3a4e21cea38233

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a1e1b66e44d2aacca3e6ed508b6a8ed7

SHA1
8a30a6f47759bb0a7dc3d745bbcd66bfaa23a078

SHA256
66566f6e691261b722659e1b0625cee96d91c3b9b596afe199ca7db79c5dcdc5

SHA512
13beb639636bd55f7adaeb6186758f2377d047f4787e466d774b6f80bcc3ab8d794ea88dfe60b205a5f404601f6ae0469a308b4d10a57c6e08af5a4296fc48e9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
ef0134dc5b4858fcca93278dd848ca10

SHA1
1f2b81768265cb1ca650d89bfeb8a7756c81a4b2

SHA256
6147fadfc8e83eae92b521e6722c6553c67f61f379225f9c84ba6cc9122fae94

SHA512
d32651f2389ba1b54fcfcebd0c51e9311d649a118957cbe5684c99ea066b20cd7a121885c4af03e9311c1117cb125bfee29964c61c0100982b84ed3fa06c499e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
5e179575b101aa51c2b848d54ed68376

SHA1
27f3a358ae1d98718d4d1c6fe3928b8eec40da17

SHA256
dea9587dbf6657a5b31c72c6b4a60f5409207ef1de6b893b0de25cbc555e7d68

SHA512
53c941250ed950d48dca2dc720130c1a25bb5f35e5ef88f9b1314505a7436f3a5a72f22107787e40fbb52dbe7dd89c2ed762a4fb7acdaa8ce58a887a2cede970

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
142254bfb233ec7b4dc397bb64dbbf8a

SHA1
48f3a355e47c298bdf441a414bdebcc90446bdf9

SHA256
3c9e3bb0a250c20f466175ce3cde6a30a4da9c9397108dcfa794d7c3767eb6bc

SHA512
aa77abcc3c5fc209414ec5515d27599cd0dfe32e128c81aa294a211c213d5bf09a4bbbbe03b65513c6e12a84e1613eb6b4f196856a2dede14c80a66d2ca5935b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
309659403ff9a0c9be34d5828e46690e

SHA1
c023dbc33d1c39340b137c8b0c0199aa2f80d688

SHA256
de8615397dbacc338574c8b178a71d059a9cbd7eac7adf844fd99119017eb968

SHA512
1f7f47308c806e052e1705ec99e00048fdc0343a5a18fcf80aa31f1ff8fc7b7e78b4e9a521c39fc7b02c9c391ac702212e769a557070f26d5a4895fa7cfbde50

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
9562830c321394138d731a768afa2dfb

SHA1
ad0d23d31c59d5468b2760a94baf3d6b2ea5c9b0

SHA256
35c402fdf8709c1b57f477b0acb3c1c4a6fdc2fb13c55e3592c97962f1a39413

SHA512
a4428265135212f49c41ff791910334a74029e7bd75e02b58453bca1c1ee4bc826b928c7f6adaf4854bf92d530fd6fb9e3f6c810c5075b3222a1792ea65cfcd6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ef34dc49524015790f036713a165e1ae

SHA1
295dfd8a41ac80359edf8e366d9b6ace00c6870a

SHA256
45cff9dcb9bded818f39f6afd7e06d66e5c3845a874e1ec301eb11624a045c22

SHA512
2b06f30bc99aeb6181b62fa86c56ae9bec0f586bf819342724b9b1f29b6d9b309d15e5c2a3d4fcdf344eb23d0fb966d21fac8766f41b8c443912cf95a7987bf9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
54de689626fcda024492c14fde28cc29

SHA1
fa11ceddd5a9211c77770374d8a89cc6b3d236ba

SHA256
0ea479db7cafad4fcfe0a52f62551af1cc2015be61a9a9493d006d9991f35f96

SHA512
c978f7ae53043105c6c1aa96c596e5f4671cbde6dc84c262fabf7dc0efd406dcf73c86f7a716450e3cbe6b4997d092d27d5b21542ecd19d257479216aef5e36d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
879b472ca836fc82caa56a7aa2301788

SHA1
ee662967a629d36b0c9e32c3a3451bc0aea0d8d1

SHA256
48593989b4cf1411d891480ae1dcf4719bd3362f7b68d4ff1379ecbb7ec0c278

SHA512
31c1883be253fa6bffe3c3f35ce66e06385d5e0fc9bdde97813e9120e6a3e5abe11432811c9f2a16a9264d5baf460c963d279459a296191d117f4f78c4ae5db2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dcae9d5b9a1129557967ab2c07cce46c

SHA1
b3940da637c1276364faee23fd2507a9902df229

SHA256
3d42ad8ab0489a95754d84bd21ccc9958647f4f0ef576275b9de23ee7d922878

SHA512
7f38a4a5cd72824b41b6596e1d78d91332824ccb5c2633270eda07e237aa6e3acbb4f8afea0776e17aee10bb0459e18378431e650a21c9ffaea8933cd884c08f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b9d534ad4ba8da73378fe3a81753432e

SHA1
4d2dd2404050efbb3477b82612946e5028b66413

SHA256
9c7930abf53058bae7bb877a272135e2a4ddb1897ec58b7ecca49602cd62a2bc

SHA512
a8b195115ec27b231a7592752280d25a331566d9d07e0a457efb31f1e171dbc5c8697a829cab6400aa4aff55824c0e383ac8d7a4390fafaf2dbfe7261a528efe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
90c5447d6f5433f8680376dd19c795c8

SHA1
7ff961ebac32255bf9d6905ba14dda6500b400a9

SHA256
b442fc2dc561f5e7ea7e194984fdcfd6ce37eb83cf1410bc771cb2c2103378da

SHA512
2504f5a7228123c975270d5a8eab920c5cd21fd33600c39f2a69e2f842aec9f9a720936681fcf2ffd2a1144076e18c353cc2954fffd3e2b59961d4e755a83224

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
af130711141268fc3e64831e1b629027

SHA1
8ee2969cccd5fdd65b816f2d5d22a0bc38363fe6

SHA256
a44046678e10ecf665fbf92cbb1bc83feb2fce891d37c394258be12417af9df4

SHA512
fe8ed1d92b4347025e521f8dbfd8488cce5b3c2018356cad7d65bc2ce4fbbc899984e61de07f14a2881338a472ecb1eb2a14185214a556a5e165bccc85185983

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
af130711141268fc3e64831e1b629027

SHA1
8ee2969cccd5fdd65b816f2d5d22a0bc38363fe6

SHA256
a44046678e10ecf665fbf92cbb1bc83feb2fce891d37c394258be12417af9df4

SHA512
fe8ed1d92b4347025e521f8dbfd8488cce5b3c2018356cad7d65bc2ce4fbbc899984e61de07f14a2881338a472ecb1eb2a14185214a556a5e165bccc85185983

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4e5b08bc0c063c383316a095eb9fd2f2

SHA1
76bb3d4c49a282b43a6177cfd553beed1fddd39c

SHA256
0cdb25a7410153121cc5643f9a47056c4dd9574af729f278ea5dfa595ecc21c3

SHA512
2a7eaa97f7a155789a8a171f795120012be491a7f81eceb3835e465ae42992759adbb57d0c71713b38d3be1db71756f62206c8b10def8a6a19a8ff7522a9b1a2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
49c1b40fdff9be1ed6e52f41703078aa

SHA1
78e0d6a597d723ff872019235d9c1acf0d18b35d

SHA256
2919fbc72426476dba066b530bf8c9ed019b1e1764b46852c7c4190522bfc8f6

SHA512
1c2a8c178b3529dbaa522324c483d5c5c1dbfe3f857b6308583055276ce8e0f5e865dd3b4b8722cd25fb7391f32165c51d3e9f2f48ec1249380b407e6043d9b8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dafdd553a421d74e6d87a21164ac2fce

SHA1
86769add620f3e6a7897c7487df45d4a97d38010

SHA256
6fddd2ad323c1f025ee084f1c203f3ae63b68a7f9a70478bbc7872f82805ed2c

SHA512
1d40e4e12c93348db4d8f90b6ce3274096fa7cb0779efda12e4edbf51d9dda8d863fdffd77a38f8122170f5c1b2fd68dd48d8dd0d1c069a10248a6420176c9d7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dafdd553a421d74e6d87a21164ac2fce

SHA1
86769add620f3e6a7897c7487df45d4a97d38010

SHA256
6fddd2ad323c1f025ee084f1c203f3ae63b68a7f9a70478bbc7872f82805ed2c

SHA512
1d40e4e12c93348db4d8f90b6ce3274096fa7cb0779efda12e4edbf51d9dda8d863fdffd77a38f8122170f5c1b2fd68dd48d8dd0d1c069a10248a6420176c9d7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0293b41f0cb0891e3ad6bf28912df0c5

SHA1
0a279faceeb5159266ad767cc82b5c4eca3d774a

SHA256
cb6fe1a6844dbc413ce0941e6cd2aa10c849ac7b0367f1dbc79985976df68597

SHA512
87ab27335dde160dbf21e58e92fe2ccddf8336c2f03c4304c4696eb8ba805a4f41bb8c00172589bc5c790f23234e8581bae0b338b40541f877f384a37ec86c48

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0f1bf387e3d64cd8b745578b60c8258c

SHA1
031fb44bb6c1936c9429a7523087746e8b121980

SHA256
70fab0c85003d0b2caa0c85dde488ec658f9882ed57964e4df80750d2aaa0ace

SHA512
77b36c6a9eb591b555821a476e74740b493e0afa9084b800da31c5bf9fa74642453c9f90613a3ecb95f053e7681383aa6a7077505d2f62db15b48e45eeb82f3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
17ea04d9f1ff00a04d7e34367389b80d

SHA1
f29e650aef320115e26c0aac74b2f72ec5b77a24

SHA256
1df5f93898b023096d4490838fefb420025e5bfbc74bf1f908ba38be0e8e6979

SHA512
6983ad190813f15a39be610ee3323377555c159de9accc15c396629b1361145f65a6133862834ec9959468f72f9feefd992132ed338c62ff2fc886f2137bdd98

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fa0afd142cba21ad9c23b76a72bbcbf7

SHA1
e5b16aee4d28ab7261953fac9d6dadcb0a606c7f

SHA256
42b132dffcf453af39c13553aa22cbd42bc52243b2e5487538ea6f6153be815f

SHA512
c444c0d61c1ae78056207e38f5727f7f961366db78e9111f300e0fd052861fa51335b27d6bd6568c9d93badfe204543fe811e96cb3b24b78318bed71f728b8b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
cb205414c525b64ada7908b69928284c

SHA1
53e9cf444424cb08d8a71699c4ae35b9df568be8

SHA256
da34fbdb2cf299c100ca319078f7f132bf79a20b288ec72f7bc4653dd66942d8

SHA512
96981fafd279198a87135700038dae1eea04884e2d8d7bab43d844a2338e7f43ed9007354b0e9bc82f9d4dd147c709b421f3c872bbd830a0565117db4b510146

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
75aa0b6ca6c6828884a79a134d7d3d30

SHA1
a7b80de705bc9114a896ad1b53bb2a6566842edd

SHA256
75398f478dcd38747a2c864f58c98a19e8d3bc2fa133bc8181e78cd45965fab5

SHA512
86f6f1a7ba54e3d3c6b96f8b0dc0ac1d04526c1e93d8ccf27b268e10946bac8e3a953eb72fd59cb7bf722b70b78465b3ec2fa66a50d0dfd83bbb393dd160d9cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a404358b262abf86eff067cd106363a8

SHA1
e4d99e463ab43fb3f385f2c9886bd6c3fcf09571

SHA256
9971b0652f465e436ce36fc989752fba2a964ceb6984b374f9b0b0d7b71b8ece

SHA512
efef43bc5129d1105a11414e3eb0a86b56163ef72b7e7ee6c3dda4fc7f8043fec427c94e6c2d706c5ddb13421cf41ce2bd9f56d0fe2d4f0ce9b81e6eab582a89

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
303f1eaf10614d1dde524dec8289347a

SHA1
6b69e43390c0575f45253f47e24f2a2a6f497017

SHA256
56439e8c1fb53e93b640a954e6a6f736a55aa1f9577bd1f013df1f327d48f00a

SHA512
f8deaad2e8001963cba91790315c3312044d256a623f646023846c155e033a597b6833878e43ae7a1ef2a52ee8045062b92ac3561a5b835ae7f8146656e0ec36

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1fba68a1f194a9d2ac20aa2dd920691b

SHA1
01129fb8bd56c19b04611e99a2bc510c067d219a

SHA256
eda8fd28f67718b0fecde5789b87fde80b9402431ed2f2dfe10b0a8bada81ed6

SHA512
6bbad63d0580bceb5ec04ebdddb9c1be160d05119b9fe6b886afca2b5247d50d8a12db44324f281184c6f4f8273078393d9423cae46df774767822275843f12e

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
879b472ca836fc82caa56a7aa2301788

SHA1
ee662967a629d36b0c9e32c3a3451bc0aea0d8d1

SHA256
48593989b4cf1411d891480ae1dcf4719bd3362f7b68d4ff1379ecbb7ec0c278

SHA512
31c1883be253fa6bffe3c3f35ce66e06385d5e0fc9bdde97813e9120e6a3e5abe11432811c9f2a16a9264d5baf460c963d279459a296191d117f4f78c4ae5db2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4e669139f37daabe3e6fd360ef1219e1

SHA1
4d10a790a2f9ea4fb6fe1482d7fdbae13aa6213f

SHA256
a6ea184c6ec379ba324e3ec89f6de5e6ff9882fede7f75214fb7b941e13ae4d3

SHA512
3dc272b6f45480098a131061922824aa25185e3644c2072d4d6a6b4629ff36725bc2e931ca0f8ceceab27e2d07d09932f15fce4cca81248b21cdcdf415dbc4a7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3382529aea86f2a790d1219c81881170

SHA1
9426587b901ebfe31724f8c70264b9e09034566e

SHA256
239cf0394380ee4936a2564f28049c9fad4f4385355d911cfb28cf304ac77a28

SHA512
ae84bb389f9e6419b5111415ddbc5acc6c8d8af0030fe3a4ee485f672537a4643a893c6b0594d78e7eabcb407f6fd8fef397c05eb22f8676052ac92aeb4b9841

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b9d534ad4ba8da73378fe3a81753432e

SHA1
4d2dd2404050efbb3477b82612946e5028b66413

SHA256
9c7930abf53058bae7bb877a272135e2a4ddb1897ec58b7ecca49602cd62a2bc

SHA512
a8b195115ec27b231a7592752280d25a331566d9d07e0a457efb31f1e171dbc5c8697a829cab6400aa4aff55824c0e383ac8d7a4390fafaf2dbfe7261a528efe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3c52327485ea6613aaf77f8ec128cc68

SHA1
835cd70e07a206177504c02b87e06fd6862e8de1

SHA256
1a79060d656e846a7fd75fd3f16e8ae06ce9f5c1efe72dde411d1102a2bc1d53

SHA512
9c4ccd67a9a30d5b683d2b6795ff7a1b4a429b08e28f7b680261ae3f08f4ab42f45f2526cc41ee6ed5fcc84c8931f6165f41fc1e566b270a3a3bcb8ccfc4493b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f02888ce82e1729ff1dbd6cfc98e47cc

SHA1
9281da8f4285f3ad2388f26c7822fd27eb0f0378

SHA256
8ee109dd090d215a58e2acf65956db7d7bbb64c3bf564a18abfe05c64a524dc7

SHA512
63f290b39cd67ce9e7e45b95c4f48d9e8871d5ec8acab160b29be34f7d16b52de4534eb352874c81c9febfa413c9cf5006011ae0b5b8ea02f7ace92c3f9bf29d

Download Submit
memory/816-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/816-675-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/892-279-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1080-336-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1348-609-0x000002877B700000-0x000002877B710000-memory.dmp

Filesize
64KB

Download
memory/1348-669-0x000002877B8D0000-0x000002877B8E0000-memory.dmp

Filesize
64KB

Download
memory/1348-644-0x000002877B730000-0x000002877B7D5000-memory.dmp

Filesize
660KB

Download
memory/1348-683-0x000002877B710000-0x000002877B711000-memory.dmp

Filesize
4KB

Download
memory/1348-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1348-642-0x000002877B730000-0x000002877B740000-memory.dmp

Filesize
64KB

Download
memory/1348-716-0x000002877B8D0000-0x000002877B919000-memory.dmp

Filesize
292KB

Download
memory/1348-610-0x000002877B710000-0x000002877B711000-memory.dmp

Filesize
4KB

Download
memory/1840-458-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1896-216-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1896-229-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1896-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1896-224-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1896-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2084-134-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/2084-135-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2084-136-0x0000000005A80000-0x0000000005A8A000-memory.dmp

Filesize
40KB

Download
memory/2084-137-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/2084-138-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/2084-139-0x0000000008240000-0x00000000082DC000-memory.dmp

Filesize
624KB

Download
memory/2084-133-0x0000000000D90000-0x0000000000F28000-memory.dmp

Filesize
1.6MB

Download
memory/2148-577-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2148-251-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2548-313-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2668-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2772-364-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3044-220-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3044-205-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/3224-456-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3224-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3224-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3224-144-0x0000000002A00000-0x0000000002A66000-memory.dmp

Filesize
408KB

Download
memory/3224-149-0x0000000002A00000-0x0000000002A66000-memory.dmp

Filesize
408KB

Download
memory/3224-154-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3360-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3360-674-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4104-191-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4104-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4104-181-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4104-187-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4264-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4264-560-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4264-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4264-219-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4508-248-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4508-234-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4648-163-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4648-177-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4648-157-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4660-393-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4660-671-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4720-535-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4720-199-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4720-201-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4720-193-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4744-631-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4744-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4820-311-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4832-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4832-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-175-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4896-169-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4896-178-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/5116-366-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-670-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download