blustealer | b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmpvr2meydm.exe
Size

1.4MB
MD5

1dab5e05ac3651db47b6f881dab8dd3e
SHA1

66c37ab30dc83b3519815b2406cc6dd332e4d91b
SHA256

b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523
SHA512

dd31a50b54385b3c1917e6eb17e7970c2fd97ec481c297865d7f37c7f2ea137ed8b60a131e7de5a7eee2278f5d26951c9da0be4e2babb00582993fb1cf8b4472
SSDEEP

24576:t9j0kMtM5Gcc59B40fuI3At9NzS1f8iGiEKjOWVQbHnERMJaICUQqi+4P8mHMC9i:7MOqu0fpAt9NzAEi7XxsERNB5PRsYo

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
4076	alg.exe
752	DiagnosticsHub.StandardCollector.Service.exe
5100	fxssvc.exe
2408	elevation_service.exe
4248	elevation_service.exe
2508	maintenanceservice.exe
4240	msdtc.exe
2000	OSE.EXE
2396	PerceptionSimulationService.exe
2660	perfhost.exe
1276	locator.exe
4300	SensorDataService.exe
2652	snmptrap.exe
3180	spectrum.exe
4648	ssh-agent.exe
2628	TieringEngineService.exe
2644	AgentService.exe
3396	vds.exe
4484	vssvc.exe
1756	wbengine.exe
4812	WmiApSrv.exe
2468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7479feda9a2815e1.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\AgentService.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\wbengine.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\spectrum.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\vssvc.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\dllhost.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\System32\msdtc.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\System32\vds.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\system32\msiexec.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	tmpvr2meydm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 1172	5052	tmpvr2meydm.exe	93
PID 1172 set thread context of 3632	1172	tmpvr2meydm.exe	99

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	tmpvr2meydm.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	tmpvr2meydm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	tmpvr2meydm.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	tmpvr2meydm.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095c900590988d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a144055c0988d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000eea51590988d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000646c285a0988d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cef45590988d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f77f55a0988d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e3c45b0988d901	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5052	tmpvr2meydm.exe
5052	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe
1172	tmpvr2meydm.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	tmpvr2meydm.exe
Token: SeTakeOwnershipPrivilege	1172	tmpvr2meydm.exe
Token: SeAuditPrivilege	5100	fxssvc.exe
Token: SeRestorePrivilege	2628	TieringEngineService.exe
Token: SeManageVolumePrivilege	2628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2644	AgentService.exe
Token: SeBackupPrivilege	4484	vssvc.exe
Token: SeRestorePrivilege	4484	vssvc.exe
Token: SeAuditPrivilege	4484	vssvc.exe
Token: SeBackupPrivilege	1756	wbengine.exe
Token: SeRestorePrivilege	1756	wbengine.exe
Token: SeSecurityPrivilege	1756	wbengine.exe
Token: 33	2468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeDebugPrivilege	1172	tmpvr2meydm.exe
Token: SeDebugPrivilege	1172	tmpvr2meydm.exe
Token: SeDebugPrivilege	1172	tmpvr2meydm.exe
Token: SeDebugPrivilege	1172	tmpvr2meydm.exe
Token: SeDebugPrivilege	1172	tmpvr2meydm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1172	tmpvr2meydm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1180	5052	tmpvr2meydm.exe	92
PID 5052 wrote to memory of 1180	5052	tmpvr2meydm.exe	92
PID 5052 wrote to memory of 1180	5052	tmpvr2meydm.exe	92
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 5052 wrote to memory of 1172	5052	tmpvr2meydm.exe	93
PID 1172 wrote to memory of 3632	1172	tmpvr2meydm.exe	99
PID 1172 wrote to memory of 3632	1172	tmpvr2meydm.exe	99
PID 1172 wrote to memory of 3632	1172	tmpvr2meydm.exe	99
PID 1172 wrote to memory of 3632	1172	tmpvr2meydm.exe	99
PID 1172 wrote to memory of 3632	1172	tmpvr2meydm.exe	99
PID 2468 wrote to memory of 4344	2468	SearchIndexer.exe	121
PID 2468 wrote to memory of 4344	2468	SearchIndexer.exe	121
PID 2468 wrote to memory of 2676	2468	SearchIndexer.exe	122
PID 2468 wrote to memory of 2676	2468	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe
"C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe"
  2⤵
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpvr2meydm.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3180

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4344
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
edc3c33a55f56d191d84fc036d01af50

SHA1
c935c367b3d6de423979f612d6803a2c5656d259

SHA256
0dd7cd912d80d1fa995434d88477aaf968cb2258f43483c907655a8d492f0adf

SHA512
1cbcec122ac028f95339dcb440fad715815e39d6edd278b6039a782f7ea322614a1e0ca2ce6587dc0689c68d500303cd848122a60c6e90e6b94b9b4392b49ffe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
28beed7d8085230947af4352ea8cf473

SHA1
d9e55040e89646238a1e61af11e65bc317e5645f

SHA256
056fd73912ff2ba74deb6c2c3a43f4557e9048022826b44cf3bc09e819266ac1

SHA512
81051324a76caef64a18083d9aa6650b759978403b9a75e135aaec6f8c81a9d616d68c595ed4f2f251c67555087e89cb4002ba85375e048c3094f3594e4fd88d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
28beed7d8085230947af4352ea8cf473

SHA1
d9e55040e89646238a1e61af11e65bc317e5645f

SHA256
056fd73912ff2ba74deb6c2c3a43f4557e9048022826b44cf3bc09e819266ac1

SHA512
81051324a76caef64a18083d9aa6650b759978403b9a75e135aaec6f8c81a9d616d68c595ed4f2f251c67555087e89cb4002ba85375e048c3094f3594e4fd88d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
06ec54928592bc47d0dc64e46c3d8812

SHA1
36fcab44417942127bbab6942ae248e6c934a3d6

SHA256
a184255e513566aba397e0fb79d8a71a92836f3d263a4f538bf4e9f8226bcac7

SHA512
b7db9f43cbb937a71ee7ebfde5f92f2c28ef443413177c90e3b696372cc12696e5065b487242efc4489bb4d7043405190cc8399fd37d885aea4b11387b8329b6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
277bc9d06a15cedb2de1881b0a5e7fe2

SHA1
c5b53b701418ea0619fc23329b44ad3c2b04931a

SHA256
1ef121abdd4e3506c152efec718e3cb939b97dc4448be81ea965a0b327028fe8

SHA512
86afd7af0e9771ae5b7ea06c0e4410d31682862f710f02009af04b30c15127d610d796330210ad84792677dfda6cd72bc98371e1c3bb5707c569217f359f9edd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
8be9fd65d96168e950137d1f7350e3c4

SHA1
291cc5f7b960fa9e4ec031881d362bc691d5f86b

SHA256
8e0dfd4ea20baeac94e7d66f54d2765b2ff44eaf51d239c0b63bbf50451f1e2f

SHA512
70270fa4a29ca98de368d01f8e8adf75c5ec10646f809a99146b454476c5799c5663abda8e3c422aeb46591cee7eb087cca76f675755cdd2eff0fd6ccbd59b90

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d25bc5178f001aafdc101ced4daa58f1

SHA1
2c28cc186b1cd1af17c0a916039de082aad3bd7e

SHA256
59b8e0362cc2861bf60df2affa337eec0a28261f7e555b0a721d3ba02eba58a0

SHA512
9bc19925f2840d3aa8ca643236480bfbd87b56925624cecdb3acaed2b43597183b10739415cb45581cdf84c06b6c181feadef8a47bfc43a89a2c335921124dbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
23174f1c07cf70e5b31439e6aae061cc

SHA1
440e42429bedb56c3ca5abf010b1e4421bf2d50a

SHA256
58738a2f57317970af2ffce6d25689ce8ef31cc39964947961937cb0bb3d4322

SHA512
06deea2878c2428336c59b6400788bfa451ff554bfdaefd5937c75bde87f750a1f3199bc7a1f6138e9d91e165ea882ee9ab9615d6f184d8532709108bbbb351f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ec7cc1b7ce4dc03f97b2876500fb289c

SHA1
9953c90f715f07a87c343b70db8fc328e9d38f1c

SHA256
9418824f24b8b8abf7592c05619175c61c0ff39001997784f8180dfa6e0c5368

SHA512
08b841558c5734e6ed12279b1f8f7a6f082f3e9937071077636131d926b0a4c33c622ebe332974365aaec262c5ded54f56955572504fae56b8c3cfd2c369cb98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
99e6059087ca7fd86a0eeb2039769501

SHA1
5437d70d86299def454546a1f9b87993846b86fa

SHA256
0e34dc50f5b8de03588f9fcd63c448dd2d17ae49ccdee0bddb5e9cefb6a87014

SHA512
e22798589da84090db7565f394818ed660e292877c33149eedfce3293550c7d5abb7fedf2cfb62db8491a708cf03fe9d4d9cfc0bbd73c420a1269d1d60db8bb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
6.1MB

MD5
9a84214ea4c83ab136d7575abde2744a

SHA1
d96909bbc66e83365bc255d2a81aea3d41cf11e0

SHA256
8d383825dfbdac55926b9347ca2dd6867c93b1199239e975873775848c414681

SHA512
d7606348e584e0e2e2d6247c1eed7c44355b5ca071577670f4d372a565d216fe34a30ab431aaf59d27ea3160e91998546a7854c782c0a8e447b2117472b7e60e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
04840fb39dbd546eaaee50acb0bbbacc

SHA1
20a6a314aa4dcc5681c8437d0f9d73e4a8456ef7

SHA256
856c78a0f130785fa750a2eb6460465bbd86d5ca36b522d9c3f98a68097adadb

SHA512
6d9264ad44ca2e6e5fde676e44679cce5c36095f3820312a935809d7050d42568432f3e0e71f7e6b16317d4ea53325eb21712d8db24475e45d7f0af2f27bcef9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
960KB

MD5
b0de15a7b28c86cdc2f0c1829952ddd4

SHA1
ae1b29dd71f5c2a7b064833ca26d5c7c4babefa7

SHA256
0ea613ee36180e69e5edbb32d9556f2e7622d9e96435db75e8dccc04a5d821ad

SHA512
d2d706d75d5962c0042be622f5dc8a985680116702d5c3e52aa7b4f68e40434b4d4376c71a6dcaf64c8bb065d416915de6865a19fafa56f5fce145ded9404b0d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6c08aa3c982a5d64fafb4d5a82e864a2

SHA1
048d5cfb590736884be97618274221bc84005a37

SHA256
d03a48a5c71622457bc4e55af621d402b06f0d4a65deda2ac185636919bf12c3

SHA512
aae6d329a39b6eeedd2f22c557cbca570819d3cfb4c9b5f889169ed69699596ad937d01beedb1c34e76bfd642db03685d86468a7c4e90b7c1602217eb05e90e6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
640KB

MD5
174781009cf1bd751fbfe7941c6943f8

SHA1
b8395ed3596840d1db72b8733fe82b13e99b74a9

SHA256
f1dc3a481b3084547604b185becce138123a631b5e1c856deab0c217e4b41f6f

SHA512
5bd7e41a2f16b16b726b6eb61e08d34a69843d5872f59a121892f70cab69dfd6e698797f71470b66d8811355932956ba99c46f8f67c13415e55a010bae8ae3c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
27075716f72caab067ddf3a2e986044f

SHA1
82c818e266df7020005a67278d6c78bde5af14fa

SHA256
b16b9be3bfd81710ab95576538c9422a6076d9fb891d8a8c3f30388733aab1e7

SHA512
e6021da4843140efd3d7d496a362390c3a1ebe27716501bc6830ec4cca8428c75a2420913e71fb5cd73d6d6654dea316e5bd3e1d38724a92a67b6e22fed54af7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
576KB

MD5
87d4cf29c74f2ed4e51f18c5df439b7f

SHA1
62d391e82be23be3193799064f4f64389a83e596

SHA256
102d30e8e0d2a11ee59dd61ab82a39f8e4492c4c17a2155abfdf43dec397cc6c

SHA512
989ee88ac81442effb83d518528e0d2e58a192790a5287bebe886be3eede51398af5acc81d9b080dd95d227533de6f9fc483e1cfe80b3410582a4492f639d70f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
576KB

MD5
7884ae9eaba996170f6424dccaab633f

SHA1
cd336a782abce23e68b0c310365af2174e4744cc

SHA256
cbcf18c2803fcc46a016feb637acdb2e3179f1d43a339b0846eea8498eff8864

SHA512
1a0e1dcfac7586bc392541873938b21a39327aee485a869cb9cebdff39d87d6b731c9cc9c1a94e19cfac773d25864ddc875ecc847daeb36b544a0c46e4d23254

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
576KB

MD5
e9fabac7a85f4d278cc49a3b4479b3eb

SHA1
2dbafbc14de58e84defc0975783020ec80d8f91f

SHA256
2ba3afe984bf64274d34e110799f270c2083355565b076629a44de7b0ef612b2

SHA512
d2315c952d91324f0df8aea7410b552996ea9078b8eb884cd96c66a836ac35fff3e6218ab4a7628ada53f20d3902f10ad7d2966b67f1ef77bd3644988be64724

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
576KB

MD5
4d46778b6acaa6deb1119ead143395bb

SHA1
935a2ab4bef828a09bbdec690e201a94ddd9cb29

SHA256
0b8e5c1f30c6f8ab901987b04646bfe9b5c960d05550e7bc790556d20561b57a

SHA512
c6f9898a3ab513da4aed960ab598ccb87a13f02c7717a1d0ff698e6f4ed9389cfbbc69533adb871a5c993b41368c6a8751cbf64e478bd8d6da76527fa3a88910

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
576KB

MD5
8f99b0f7c569053bb52bceb4d6cb640d

SHA1
bf9fc13071713808a9d3de5c89acdf0721bde51f

SHA256
70f1028f4d1a1da24963def1e731e95e8e100a7242edf35ffb38aae853056666

SHA512
190cebc4913e5eccfc7624e4ba6ae7d63236449f9218c991e8035ff3cbfe3bdb619532272edadb20fe2d49957d81660af42e43649b7d020ba210eb056dbc4436

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
576KB

MD5
38aa41f2a755745da0c0b96800eebae3

SHA1
8348d7b1265ffca85414c2ec5ec3252219f50b94

SHA256
ca9aad1921937fbed5a8d67182d4176c10f0001e8e0b01bfe81dcbf2ea0640ae

SHA512
0dd46526dd75f187d6dd7406fef7ca2c7cb08f56d66265562b5ef40bd7115fccfba14b1eae575857396ded15e374bc3fad0576335f05ec27a6550758a34485a5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
576KB

MD5
d43110b379847dc84f32d40fa7199253

SHA1
b025b94e65c296342f3ef8f54b10fc9db691e4bd

SHA256
fc28601cecd0e21492444a73f44cc7928b7ccfb186a66c942088d3618be47190

SHA512
d5dda96ea5138e825a50d225fe1938c36dc678eca7ffcb66ae776fccedd37540661bd3209c36c8b067398780045229babf89939445449f7b961825e48a800ca9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
576KB

MD5
75ed741f996c798df2c152be89bb35f5

SHA1
1c072ce66709b64c60947d55c7b9b91e4c8c7ec4

SHA256
812669e17229b7b28fc8569b6e5a1fba84bd8a0bad7d20014eed73c1322caa61

SHA512
7626dc39436c0952bb5c767efed2dded51fd4d15961ebb04f3fdd6755cc83aaba09f20ece2ca8c5d140d5b83461e21c863033ae8de387ddd785aed98f5ec3145

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
576KB

MD5
0068c2242dbe4eb0ed5f7baeeb35a4cf

SHA1
41d7d525b4b07947889c9c1500e48fb7bd2d0a29

SHA256
4f385dfaf7069d7013217c505ee9e5bea77010be9930cd03e3d1589aced4b98a

SHA512
07d0e8de21312e3be9d51a24761e7f3bded6f168ae2f80abffdc9ee2ade492e4fa99f48292175161bc9cf1728aeedbbefde236d37bebca5393380c4ff8993ef6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
576KB

MD5
4b79bc65b7d867175412b11d809b7e02

SHA1
6afd886d4b87d86ecd46ae6d5423a67a18b2d8a0

SHA256
1b62c2a28e452f16c03fc2c978dced0c9548f1d9b25071ae5cb0083cad49220c

SHA512
6a9d509394b831f228da4e47fb560da06392f0f29dd1857b7d2f9fc8dacdafd9470615d438b38c308a3d1687d595056c3e8024de9228e55da4c01f267b338898

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
576KB

MD5
d715bcbbfafc51d52e9cdad172d31c21

SHA1
5ecf208c2491f628c02253d0edba317ef7112b95

SHA256
a957492f28a209e72a2e9cc59047011deed2b0c98b586f2cbdedb3ea1bbe36fc

SHA512
5bbc545872ee52237ecd8bbe52c237e40708d925f5796a2d67e21b89fe180dcec29ae68931383e0f763d2ba3af4320685d1402b0a8b3bf86e6dc13313973b7af

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
576KB

MD5
a18b58ea5d30bd733f247e6b642919da

SHA1
2d203bde23d042550f0f17db0c473f3bdd358d0a

SHA256
09e8122f93731ef756ffa58edf7946d2e4cbe8b8991897284ae3fc35e0e8b2bf

SHA512
b53215d8459d458f2e178596c61b75ba61cec52b9652d214314ac7486c7e8249a8c1b46f47b2cd2c08a04058cfee3c45ca79c04f72f7d9a95a63069eacb92e4e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
576KB

MD5
bc3a6ff9a66bb1265c1098297f79883f

SHA1
5af4baaeb01482b3127064735012563778e8ab62

SHA256
a3d4734c01a2569412de5d9b7705b5b3e206575541a3dfead9f3f722fd342535

SHA512
ca202a2f6ad9283dd3675d117eebcc4872c318f62c22919ec145efdc3e16a978e437fe07b57d1787ac35054a53b4695fadb8196e46051aea4a42cb0b533c3407

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
aedd97eb93556f9f5c1c56afeacaa26c

SHA1
d9f0be65a34cf5826cdade6752e66483bdc0b272

SHA256
f8d78d66c758399c67ee69860b1ab381ab96f2ec5942d8a1562b8318ea6fa518

SHA512
bf6c76dc19423e3ebc3840f3093b8e96996224c4d2e6d245b17b52a124359d34779fa2ee5f16867ab9cc846b36d9af4517a3e33da9d533ad1866688676e27331

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
004918f18fd20ee86b3acfc6f95f7c05

SHA1
f247fd9ba8557abe54194a1224ec731fdcf05fcf

SHA256
285aa80f1dda240dab4bdbf4ad291363e02c945fb726689fa39c4255aad131b9

SHA512
2bd7b1fb4dbaa559ded2126f6a4172089ec951a3507558e238aef8800b45f9c1f1cf314170488ac459e66933a1a8216838d3dc3d1b28596781cfbe64eb15c9df

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5e87b4f9ee92d9f72866d6816ad037b6

SHA1
70b184cf09c5c542ea15bb795fc830194ee94132

SHA256
4e602981ad14d626dd4eb8172bb31e5c401f3c88dc01d3e341c7bb1440fdc785

SHA512
eb6214c8b2ab4ab935386ce7ccd02a909e6220425616394419653d396b6c4c9bb16fce63f3bf0e477576e437dcbf424d28ba6487e45458cb9fca1d11210e08be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
70e68fd5d762e3789ca9d6468bf0a1d5

SHA1
186eea87d5164d29dda06b009fb0e1ea139a21a6

SHA256
f222771a867865660c941d26088070bef2b8b4a0992f2dc9322242c7ddcd5a15

SHA512
737b166e92f2abf7576d7cd3d8430242364a14c3e1f67a4fbf8f03f03fbacda0901294b2d3188fa72319d5a284d5fc3b66c370fa07e99a61f52b2e723753b060

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
78085bba7515525ffdc7a42447f2d247

SHA1
dfd7918dfb9cf0c5e13ef2346fd4a85de5046bfe

SHA256
b85cda583ac35f3360822e44bbe4556ad9026c27fc248f99f15b30d6a33960ef

SHA512
7b96d199afc0f8e67e8c4115e55fc6af8d7d2764eb8ab6f15af29e6657089d044e41e96c3048c6698c9c002a653ceff7a4582f989580eb1d134fd243acc5b978

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
384f27f68dc38b22fd8a440d6e81ff1a

SHA1
726032b29069f427205df4ee9c32dcae56f0deca

SHA256
37e32437ceb08a39248fd96e9e99e059ab06da8088bc850e1c17c4f58912f57f

SHA512
d60fd596c068ff29d044e4a4e21da47f275dee2debc41990e19e4d11a09987cc171d6e47a805c718e0a2a635daffde8f6428707cb52143108c8fba434841a262

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
29c8f017c1ecd9ef4e2406d8447603f4

SHA1
352cc06e6839a7265a5f2d1d557ba0bbd4c37d22

SHA256
b2643cdc98e75b74cd508624db3edb301152552ff737274e802256291547ff03

SHA512
169bcc16a17fd9d272dbc0103ca8e420e2d582f754806ee59e2a9b14f57e3743748142a09e8d3fdd93a8b5a077ad66bbc6296173d32f32efd4b211c45b096256

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
29c8f017c1ecd9ef4e2406d8447603f4

SHA1
352cc06e6839a7265a5f2d1d557ba0bbd4c37d22

SHA256
b2643cdc98e75b74cd508624db3edb301152552ff737274e802256291547ff03

SHA512
169bcc16a17fd9d272dbc0103ca8e420e2d582f754806ee59e2a9b14f57e3743748142a09e8d3fdd93a8b5a077ad66bbc6296173d32f32efd4b211c45b096256

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
70bc2cd2b20d130d7f7d7a20f67fb493

SHA1
1d830d83a88f19ce799910d322b16f9884c68737

SHA256
b6df90413501dfd6944d0601bcb7867a888ae3efb57349ca46abe435c9757713

SHA512
c2370c509b88892ea424b4d7d8c16c0b78c8bae24346dc1bfa2ca87e5acbae243436fd6db3c3151844032dd47ad730b44113b85f53d47e80b1eb3c3360713652

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fca2b75e4eeb2f035d3aed321ed44a3e

SHA1
b1dabed50eab7ac82db4edbabea90af4d128f702

SHA256
451f92708a3ac34123b5bde071c7c7a1f701648e4bf88e8ac6ebc80be77f9d70

SHA512
796e0fcce781c01c545b88d1e95c7cfc7ff991d3eb094d460ad127dd8c17032b16e79413cd9701144f66109a8cd009abb384329887676a9318857a3af11aad58

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d4e220bd0d992014e9606a0de05fd5b

SHA1
d0b966524837507954b83f489c39ceab3f4089ed

SHA256
3c315f29526b15060df141ed5c2a673fb80b2f07d29bc8d9c6b242f00409fc3f

SHA512
0df01e80bb7ac16bd1a285be990480b0dab8d0551eb6983721d09f70378ca932718d76f6d8e369d6cf3779c6f905762d358dd4e48e3328b3297075ea7e4bfcb5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d4e220bd0d992014e9606a0de05fd5b

SHA1
d0b966524837507954b83f489c39ceab3f4089ed

SHA256
3c315f29526b15060df141ed5c2a673fb80b2f07d29bc8d9c6b242f00409fc3f

SHA512
0df01e80bb7ac16bd1a285be990480b0dab8d0551eb6983721d09f70378ca932718d76f6d8e369d6cf3779c6f905762d358dd4e48e3328b3297075ea7e4bfcb5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
617144ecf497146091c41ddda47e3ef1

SHA1
af80ace87b4056345794fb15103e9bdbe6ff163c

SHA256
fc714316dccdc3f4e9aba0c9867f07655ed9735114207907762e33d80b6ee6b5

SHA512
ef173bacbea9807dc1daaa75a7a3119256b24c12fb83e9bac2885a3f419889f6477dd16dcb3cabedb746e1f9ec446ef5acc29d28c6b844bc850c864e93ac852b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1a851b4469e5b8bc7ec979db2b74bb20

SHA1
00174fef63501f02d7db6b0692939e88c0a23511

SHA256
295693d11ecaa70f5ad2628787cbdfc8d6dd4ee5011a3d92a7ead025d23a8361

SHA512
6d8971bf45f58e43689e726b058205c9ce53be125e047398be0e97086358d6bbf021593b63b93e28a4404e8bab5a397c723d22c4adc1a8055852c07e20d945b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7f7df09a2fc054cd73fa5e12d60dc272

SHA1
c9e92b49c7c9c90e05ab0ebe9c22849409230c8d

SHA256
de131f7af8e26f993bac2fe901a2f526894d8e4e7b3b262409401fe06b0f8310

SHA512
7ea500ea636d1bce4388dbb1c9c331436466136861b9941f80a2c0d35ff29d18b3d89567ce09ed70e1c65ea4a26357324c7904ad575054a89ba5d6a19522d0f5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e8c2d0c9668781f43dbe204a92f20d0f

SHA1
840ae10624f6c6c0261d2ae1a2cae4427dbd55a9

SHA256
2a0dbfa3467d95106553c5f0ff455f261b1b458dbb92c03d92bf8d4fff69a67b

SHA512
d9723cb75beaff81debc80fd7f341c29e133f60f6b2458d294d11232501de0b1cb1a735c7a2c9aaf7393a0e7cc3eb5d805cc1a62bfdc6e04f82e32aeb54349a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b1566eb96f4a7abd07daba66f3c9fdad

SHA1
a7898eedb05c2cf067a9ab185e064a64c05bcc20

SHA256
1b7b302d3a8f1cd62ee60785f7b3444c5f6eca4451e4a18dee56097116c1be57

SHA512
21622dfe7c0779de7eb1c8a009ea2dcc72eea8b24b98b2b12ab7118947928979b42308a55c8c67f3f111a10be0dd9429fcbc9e39e69d5d8b5bd1013ff343742b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
15abb3596e9f3d811ab52dfeaaf6d8d2

SHA1
3c2d179b248a3ea678e9843a4be0e8fff5677d2d

SHA256
e1450d7d213d32c9d3b0b2bea7a1eba13b1ae3670176be8646716bdbb3f40453

SHA512
5194d12e7edbfdda4086f7f7bd6d18c1470c92d3bed936170e1c541d7c18a7ff745643cecda014b353ddbf9e4e1316ae86ae525c6ef0e873bda8ac8568dc61a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a5aeb8dcfe068261058070720604487b

SHA1
3a325c6659b778385e52906dede8cc2c1380a1f3

SHA256
089cf40e6f209984395ec185d98e65ac59c94dbef3f3cc57dca43d119d1e02e6

SHA512
0999151dcc93063ab1f385b95d5777f97a73374babc9d4438391728b95ae4fe316b0f572f065ac8f573a56f3bbd3615209ea1e971a7f48646203a97981a0ddb1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a29bd20375e6c992387d56c24a458cb5

SHA1
ca943534e01ee19bc795431001b666bc33426804

SHA256
99f61c4a086b2a09a35ca10b96cbf1b703d894ce16d442ac075f0fece23c69a8

SHA512
f9e0bbc66e5d7d8aaa87ebca765031fdd79243ffd0941433f078011931ccde17bccf4a7d9a13b995585ffafa35eb23a810daf47bb56e9042fe0ee537e2d9de77

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a4df0ca46c6b44ce00aeec48820cabc8

SHA1
6176161f333fb79f4cad0c2e7f618f7e8167e751

SHA256
2c5c820ad3819f35d0865481409ef8b546d7957289ce869c073c3cf6d3106688

SHA512
ebdbde760bfda2379304b302457a5e5c7e2274314439d41f8453cc6e9b44877f46831d5f3d9223e438251a0fe7d5456280d2bb4be8f455bd5371ab7f584404e5

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
5e87b4f9ee92d9f72866d6816ad037b6

SHA1
70b184cf09c5c542ea15bb795fc830194ee94132

SHA256
4e602981ad14d626dd4eb8172bb31e5c401f3c88dc01d3e341c7bb1440fdc785

SHA512
eb6214c8b2ab4ab935386ce7ccd02a909e6220425616394419653d396b6c4c9bb16fce63f3bf0e477576e437dcbf424d28ba6487e45458cb9fca1d11210e08be

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
01205237b79cfa94d42bf56bf8bb3d94

SHA1
6a91f7fb8194b5e24b23f3a17360eaaabf78eef1

SHA256
2c020cbc1a7a63f5f0a3da8c23a6c9f6e7848301926b8f39f525060871f43be2

SHA512
3b1724fe34bb69e9a9caca0256713dd50d79ede9d0998deb25dac9bde6ee836e98fd98748a42c15ece5d8d40898da2ea65fd0e8581005beb95a1ff8d392ea194

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
e11b6b5ef144e64fc6612df4b05f336a

SHA1
a1a59da88a858bf5c96481b1aac53688e2e9768d

SHA256
aa64138485638c600727a8f2117c499f9e895f6bb481c824d3df4cb9eecd4da5

SHA512
1ff743bb98eb4ad7e06a62f13344bc4bcb8cff72fed7cd39d9cba0a5518ff85e772ca5480f9d6f51e426ff3af70a00266782e6026599939f6224042d5a0050fa

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
78085bba7515525ffdc7a42447f2d247

SHA1
dfd7918dfb9cf0c5e13ef2346fd4a85de5046bfe

SHA256
b85cda583ac35f3360822e44bbe4556ad9026c27fc248f99f15b30d6a33960ef

SHA512
7b96d199afc0f8e67e8c4115e55fc6af8d7d2764eb8ab6f15af29e6657089d044e41e96c3048c6698c9c002a653ceff7a4582f989580eb1d134fd243acc5b978

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
de6d23daab4f9ca4d2f33c8e604214a6

SHA1
7eeb4432469d20d3a5f8745efb636862107c52e1

SHA256
143f86d7255f0f82b54334ab8c4bd261391f3d23e61b49995aa65ac79a20b0e8

SHA512
fe82b1018256810fdebaf0fc4d7b329e8de2a715052434909385a379b8a804ff19f56f70d433fc5e3983c1d9ad6144d35ff4c88b8a9298d7195ce152be8fd6d9

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2985df9c0ec3eb41197fd388e94f813a

SHA1
537391573facbeaac76f8f22b7d2180711c6885d

SHA256
16c6841edd37014b6d6e27ff87b15261d89dee25cee3ecbda5ff3c1b6b72f13a

SHA512
e7478c7bd6748b31d740e21957233a7379905eace76bd153ffeb5d350daa5f2cef6d322292c3f38d3f5d71de1ec3c3bd2d86debc700462a28ce64b5a28f8aa46

Download Submit
memory/752-177-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/752-168-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/752-460-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/752-176-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1172-149-0x0000000003260000-0x00000000032C6000-memory.dmp

Filesize
408KB

Download
memory/1172-459-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1172-144-0x0000000003260000-0x00000000032C6000-memory.dmp

Filesize
408KB

Download
memory/1172-172-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1172-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1172-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1276-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1756-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2000-270-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2396-272-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2408-199-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2408-487-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2408-198-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2408-191-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2468-695-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2508-218-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2508-219-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2508-226-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2508-229-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/2508-232-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2628-349-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2644-361-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2644-351-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2652-322-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2660-574-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-275-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-693-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-745-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-691-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-692-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-694-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-608-0x000002889E610000-0x000002889E611000-memory.dmp

Filesize
4KB

Download
memory/2676-609-0x000002889E630000-0x000002889E64A000-memory.dmp

Filesize
104KB

Download
memory/2676-719-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-720-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-737-0x000002889E610000-0x000002889E611000-memory.dmp

Filesize
4KB

Download
memory/2676-738-0x000002889E630000-0x000002889E64A000-memory.dmp

Filesize
104KB

Download
memory/2676-739-0x000002889E630000-0x000002889E64A000-memory.dmp

Filesize
104KB

Download
memory/2676-740-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-741-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-742-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-607-0x000002889E600000-0x000002889E610000-memory.dmp

Filesize
64KB

Download
memory/2676-746-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-747-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-748-0x000002889E9F0000-0x000002889EA00000-memory.dmp

Filesize
64KB

Download
memory/2676-749-0x000002889EB10000-0x000002889EB20000-memory.dmp

Filesize
64KB

Download
memory/2676-640-0x000002889E790000-0x000002889E7A0000-memory.dmp

Filesize
64KB

Download
memory/2676-610-0x000002889E630000-0x000002889E64A000-memory.dmp

Filesize
104KB

Download
memory/3180-639-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3180-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3396-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-201-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/4076-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/4076-174-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4076-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/4240-243-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4240-234-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4248-531-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-214-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4248-207-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4300-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4484-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4648-347-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4812-688-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4812-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5052-137-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

Filesize
64KB

Download
memory/5052-133-0x0000000000F20000-0x000000000108C000-memory.dmp

Filesize
1.4MB

Download
memory/5052-139-0x00000000076B0000-0x000000000774C000-memory.dmp

Filesize
624KB

Download
memory/5052-138-0x0000000005CD0000-0x0000000005CE0000-memory.dmp

Filesize
64KB

Download
memory/5052-136-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/5052-135-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/5052-134-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/5100-187-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/5100-181-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/5100-205-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5100-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5100-202-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download