blustealer | b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.exe
Size

1.4MB
MD5

1dab5e05ac3651db47b6f881dab8dd3e
SHA1

66c37ab30dc83b3519815b2406cc6dd332e4d91b
SHA256

b445018afa2dee3bda17e65e52a7a3c143b0ae31abd00d26f58a4fa3319dd523
SHA512

dd31a50b54385b3c1917e6eb17e7970c2fd97ec481c297865d7f37c7f2ea137ed8b60a131e7de5a7eee2278f5d26951c9da0be4e2babb00582993fb1cf8b4472
SSDEEP

24576:t9j0kMtM5Gcc59B40fuI3At9NzS1f8iGiEKjOWVQbHnERMJaICUQqi+4P8mHMC9i:7MOqu0fpAt9NzAEi7XxsERNB5PRsYo

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
3052	alg.exe
868	DiagnosticsHub.StandardCollector.Service.exe
4000	fxssvc.exe
4808	elevation_service.exe
4140	elevation_service.exe
3616	maintenanceservice.exe
1868	msdtc.exe
2684	OSE.EXE
2456	PerceptionSimulationService.exe
4320	perfhost.exe
540	locator.exe
3864	SensorDataService.exe
2460	snmptrap.exe
2236	spectrum.exe
4180	ssh-agent.exe
1704	TieringEngineService.exe
1116	AgentService.exe
4532	vds.exe
4536	vssvc.exe
4740	wbengine.exe
3536	WmiApSrv.exe
2188	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4.exe
File opened for modification	C:\Windows\System32\vds.exe	4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4.exe
File opened for modification	C:\Windows\System32\alg.exe	4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52bdbc6550d0d086.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4.exe
File opened for modification	C:\Windows\system32\locator.exe	4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 4764	4976	4.exe	89
PID 4764 set thread context of 4884	4764	4.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	4.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	4.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	4.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	4.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000974d57891388d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018719f891388d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021cd93881388d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000552eb5881388d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f75dc7891388d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c67e85881388d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3a4ab881388d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c87a3f911388d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	88	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe
4764	4.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4764	4.exe
Token: SeAuditPrivilege	4000	fxssvc.exe
Token: SeRestorePrivilege	1704	TieringEngineService.exe
Token: SeManageVolumePrivilege	1704	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1116	AgentService.exe
Token: SeBackupPrivilege	4536	vssvc.exe
Token: SeRestorePrivilege	4536	vssvc.exe
Token: SeAuditPrivilege	4536	vssvc.exe
Token: SeBackupPrivilege	4740	wbengine.exe
Token: SeRestorePrivilege	4740	wbengine.exe
Token: SeSecurityPrivilege	4740	wbengine.exe
Token: 33	2188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeDebugPrivilege	4764	4.exe
Token: SeDebugPrivilege	4764	4.exe
Token: SeDebugPrivilege	4764	4.exe
Token: SeDebugPrivilege	4764	4.exe
Token: SeDebugPrivilege	4764	4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	4.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4976 wrote to memory of 4764	4976	4.exe	89
PID 4764 wrote to memory of 4884	4764	4.exe	95
PID 4764 wrote to memory of 4884	4764	4.exe	95
PID 4764 wrote to memory of 4884	4764	4.exe	95
PID 4764 wrote to memory of 4884	4764	4.exe	95
PID 4764 wrote to memory of 4884	4764	4.exe	95
PID 2188 wrote to memory of 2848	2188	SearchIndexer.exe	117
PID 2188 wrote to memory of 2848	2188	SearchIndexer.exe	117
PID 2188 wrote to memory of 4892	2188	SearchIndexer.exe	118
PID 2188 wrote to memory of 4892	2188	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3052

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1868

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2236

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c7b37dbd5d6434082d66a2b330f60a96

SHA1
90c92efc56b5d0ff7c52f1bb9ad094f913fe3d8c

SHA256
ade5d7f0e61c5e6b01759b1301176e50ecc84e97a22d12aecc87ad8e5dea6f53

SHA512
c2761234d21cf52c93dcd57081c98d19f52e8f55b3947973057f5e0ab6d261e98b2d0b087687e54c5aa17f79620bd8be0a1abad0cf77978b83ef163e96eeed4f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b2977dd73a2162f96b8edf3280f9a57f

SHA1
860b3f2a45b678ca1be672c754d7fc8279a92cb1

SHA256
83b8165ac6a04473bb5b08e8dcaa3a12872029dbde211daf14f04c5589b39b64

SHA512
c64d5d88f7faa859ea836d396ec99521faf8317cf35b00bfd60637738d83b4c4e59b99ede0023c0deb0ef748be81056241710ce2427af124968be79d61ffa4a5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b2977dd73a2162f96b8edf3280f9a57f

SHA1
860b3f2a45b678ca1be672c754d7fc8279a92cb1

SHA256
83b8165ac6a04473bb5b08e8dcaa3a12872029dbde211daf14f04c5589b39b64

SHA512
c64d5d88f7faa859ea836d396ec99521faf8317cf35b00bfd60637738d83b4c4e59b99ede0023c0deb0ef748be81056241710ce2427af124968be79d61ffa4a5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
85d1b5e9be3accc6273e49f193123397

SHA1
066f5c4883addc5b1853e67b221c584ffdbce7e9

SHA256
ed2a0d6e7729eca49fcae8db5d621685b2e8ebaf222a1e2927da6f9ce316f797

SHA512
92e63225e77bd1965a6e183fa1a517e21bd14e012fb74fb5d695619678e1aeacfb0a237feedc9248df447e1e5cdfc8915644b915c968214084e76b3194246180

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
ef6d932ebd1c6e2d9f1a695c535e6090

SHA1
eec498d16d31c509a348fedf236c7552cdb4d0b0

SHA256
ea040e31c755d4f561f66135d3ef5f75852475822ecf5387eb8f752f0e58df1e

SHA512
64d59069cfb8b8d8d739594e5b6deebecb63d6066eb96b797a7fc12c3ffb94830818f5eb9436fcff6a4a2254109e5565d87b7f7b732d20dfeb2a08f024e765ac

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
86d83a752cc4b1772bc46ace19b46511

SHA1
40e2f1436041afc260c3a2dd2dfe706b04d1375f

SHA256
27b8a1842480fdf1b068e0707622d4b9e05eb4f9ae758cac1b43bf731534c2f1

SHA512
9e90946275ff2e656485447c7cd98f9291547c81686544abb4918b7c5784492ff8657aff3ca5e6580a95d2a38818b28b1041d09f666f2875efa03e1d79a8ed82

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8bdb7d1ac98208775161d02c91b46e19

SHA1
3e31d96ffabc1c1a12d4283175a9cddf7de66392

SHA256
314237ca2958299c8c4e6f15d1d4199dbea1a737b3dbe3d03e62ae051dbaf79d

SHA512
a5cea6f8f5f10f29e259210a4aa0366e0da50cbebad1123c4f1b8ee58d96c629f42ce3786af936cd5d81545464a2676aa33599518a4382a1daba76dc0cefc773

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
209f4b83af72cc777ff5c1f1fb4f3ce3

SHA1
39d6151ca318441f2a627676d72d890f5ad1c87a

SHA256
3b2f68a3e5491c1bdb1f62b81825f3df3ab3f138d1102e49a85757afc1df6261

SHA512
f806242c673b37d5fdc4e3e36254cb7f618fc4f0f0651a0848ff25625f7ff9bdc32b180e45272f6aa575be0596ed6d8dc423aedc6bb65552775cb9d11c762527

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.2MB

MD5
a1a6f167ea7cd90705130d2d249c7e7e

SHA1
31239e1627173938c644895b9f8b329948ec0379

SHA256
6c8a26fbe69ddec57072126f5a44d80d3df77c1e2066cf51456e3c2af4e730b6

SHA512
d4e45a351a88b666dd952d6ec49be9f6e7c079a33e92baeae96da2a265964ee900f2881c6e4ef4b07e617644b92bb80d651928aa57c7909cd5f14de97b2ecde8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.3MB

MD5
4330f4d9f756d4fe06d04104b176b30d

SHA1
967502cb595cd2fc462a0b01b2e40c7e7152e435

SHA256
54b0e4bc8b9f5f57866a620fc281d59ae6cb4429a978d0e8a2b19fe008029f83

SHA512
d2c2252fa53e93aca56a1c72469e8c51494347a79f862c175e0af5f0538736dc47c1fa403f3c5e8075749f1b101a276991938400d64132bb9c949eae18fac77d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
6b9aaf151bb4b8f4d81a3c7530584346

SHA1
df1de58b7c857afe9518ebb61b1c0bd45f3bb9b8

SHA256
d284e0970f2de8778cf3e0b0fa2dc867edfb8a7205dd772b27239e8d73f10456

SHA512
4d6ad4bbb95f240c4475e178e44306f370e91005249c36bc8454d376fa5d3877b3298ccf40725e7bfd595475d85edaf70bb54f6cb4e986e598f41e61d3a7a046

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9c1764f6daacdfbfff868afd947cb2d2

SHA1
4928a44bbfc8c7e6c20b4c3160f6a72fa821a8ba

SHA256
4ce9754b01455132d9f001878bd48444ed54079d4ddacac502b919d0633cf572

SHA512
1af6fb71858999b5fbd9629135de7be75c423bf95ba74ae8d16b433d6c55f5db6749567dde3fcdfa92942cbdcf9edc96b6a03aeb6201328269c65125cf7e6917

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
4a20bd71529677bfc5418fd900a853b0

SHA1
d0f574b511be0b45f07feadc4b2c6c8a52d376b0

SHA256
cf0d54d24ae12a6552189e2dd630b9272d1a7631b56561c3a34275b4b0364f20

SHA512
eda8d3f9e86664fa21ee2ba4b73dc7dc70733b090a4b66da01ae853e736ba348d8c166a606603494a398cc24f5707c7e91bf8f4e7c791a4688bac9a43985b73a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
832KB

MD5
e4344cd7ea782dc38e54bbd04fe37fa4

SHA1
307fc0a722f06a7662275fa77865fde1f200fad9

SHA256
6efce25c17458565624081e2810970fe026d7011e05288277a42aa9736ec1544

SHA512
c037789e4b58f9b2c334063c2d8d2fbe65d00f7bd007b78b8d23e9158427643019d1d6e1a18246ce8289875619a02288a2a153669a5d4f84830b1e289bf3a40b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a443725957f73b7c4b9e072422a830ed

SHA1
c5f12de369612137ec2d5a2c9ad7fa96e7481a47

SHA256
5188f9be2c1d92c3f04f652f2ce0b6e9f48eb5dfca96da6bff34363e6f4a00c4

SHA512
485178efabaeb72ead89097957b43855e92c1c0231768a65f7d6fdec19a39c4eed2de830c55cf7c90cc479c0e19ad5aead44782958c496d7a171599fa6699b12

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
832KB

MD5
2a3eb9e8270bb94217e5753fa0e2615d

SHA1
1301c05b8ae68bbf3aedd8cee8f098c825792a59

SHA256
b09b6f12f7a82fc0b80dcdb047b099a347ba7300d8dbd86f9007e68480362442

SHA512
d45bfb4ca282c9046fd47a7d6b47275c0f612061f3dbe8293fe3197342c4614b0b81bbf424aabe0ed149ac03d620a999fbbb1dfcb26e35e246dfb1b2f6f48107

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
896KB

MD5
ee3cee0318cc54c95250bc4242331051

SHA1
00dacf68f849b3d8db6126c7ebc91d78c642935b

SHA256
37d461c2fde9092b1e558d7bc2bed8712c81addc47d82cf50ef8fa325d22ad29

SHA512
e99beba72591d882ee9bb3440ba9c7911ed1db19718ee5d4dac85199da5d3e2a73c0154b7aa6d05c2dc8f75ab6cf16db08d5b9455a1741566505b0af587ca9d0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
832KB

MD5
b748289e5fb8f335d7e205da2ca72f75

SHA1
644b14dcdd114db32c2ceaac1a8de4e7cd8317b2

SHA256
7fa684bcd7d43b2dc11fb659eeed1c04e11681fb46cd1475e05098cf91ee6b73

SHA512
380391b604aa348ce39da877ab427491a1ad4efdc22ec23adeac521130ea99e88226e2308c6e5b19f95e3ec32ce3e0d24d1cd6a11c0c24251d8e3612e48ab976

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
832KB

MD5
1dcdd792eb0686fcbb49a2f5de6b0173

SHA1
d4300fe1681da8a64e35700f884e72932f669743

SHA256
5d6dfe207fab958a490eb2cacf20c5c4ca16c24364c87db5fddc2e78fa383fbc

SHA512
cb67a6e57cab4150e897eb5a817434539362c042e95da8c630107a8f08a1142fe70e4de5acf35587aa3c979c492bfacb115f24d416b4026f82691971506b2f48

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
827KB

MD5
810eef838a5af1e1ac00292149a3ac31

SHA1
26e5185803878d44baaaf1f660720655421fa27c

SHA256
f0069c6dea5d599ed3e983d600d9d6c26116d031c25c5b1e799fea116205f6a8

SHA512
380612b1827dc463dec282de3ab865d8f7f95a0f028897e5b9b0572ec0df2aabb3a7338bfb69e3a0495bcc83bede55a803315a6f169e30d77475fad00fc73467

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
768KB

MD5
e5584003d6407b961391327a85376511

SHA1
f2834c39a1dfad739a45dabcebfe6fb061e2e0d7

SHA256
0a05c3352f7dba32e49d52178bf05fe810001b53df666463dfa7db96b5561810

SHA512
912230aa11fb8a5143dded11f2f215b86c58e742724392b6d9afc4f2a1282806b70cbe10f5d22ed354a2021f749ce6d6952dc29fa099e3cf466e534d2f933fd8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
768KB

MD5
4e3e852d7c1f91151fc8e32719b22fcb

SHA1
e999ceb9fa37dc57db93aef6741155df827cddee

SHA256
8d1ba0540420b04ae5de14e9b076b8cf5a8eb322d9f8415dc8a32993ad46772e

SHA512
504609500b379c1ee46dc412304009010d63bb3ede16bc383aa2558185ac430c45bae82e567dbd1cbb49738525eaae7cc98bef5a2f65b9991ea05c5c26fe7dd9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
768KB

MD5
5e739fd13ff3b8744b6ec51eb52dcaa0

SHA1
f2d4eda6c6f8c8a739f22a9cd774068eac994403

SHA256
fbb2e13b4581e34b39cc56c987c3d53b62d6d463db5d75c89a214f8083924cc1

SHA512
5f37b94eb3b733de457d512e5642e9397ae135073a27e0624e8ea988017d8786bb49ee8cb563eeeea1028bb22703aaa4b19fbe3c12de14c09a9b0914a4054c81

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
768KB

MD5
6933500e6ab40e80b1f2cb8aa4baef4e

SHA1
653d54863a0bcd2d9aca6791c82eb8a3a3538b9c

SHA256
5527cde7e785e40425670630d7a78097bdd173daa30cbf983f1e3b58830af1eb

SHA512
e76028a02c8f0810cdbb725ac8c5b021bbf7027dedd0c9c055dc937a5ce1854f0084063a5e514e3ff46f281c9a84713aa3c9dbf5c4c48028fba011809e36ccdb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
768KB

MD5
a50388c7270dfd024957aa03aca4a45b

SHA1
f578d1fe2d5ca9594afda9eb0c5ef6498bb06892

SHA256
e2ef153dd817a4da686ece243268e54d3958b7f7bb2cb18677bee78ff4eeaf82

SHA512
673526f25fe58fdbbcacd1e945bd61d9aa0eb40093bde1e4be95a3abd937aa4f2ab8a1071548d61ccae6f66d1a00ed82fb135a078841ccde5f886043c880bbb7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
768KB

MD5
6117536f374058a8ec2a80d5cdeca4e6

SHA1
c7322b5dad319c49b524d4f7559512caf129e99e

SHA256
417d2fadcf522a6e1fcba1e973aeb793cde5891ffb03baacd77e9734e995bef6

SHA512
ffe95438b252424b526624c3839361625bdfafbc838f4c2b418f50ac5fa846790865f74732b885fad11fd7b3679cc1305eb68129c380837be717a5cc697966b5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
768KB

MD5
065e50e60e48c90518a8d50eefa7d056

SHA1
512e557761f3e54bcae611b5a9e826419f891f9e

SHA256
985d858c7aa8e2a7c751192d719f3e153b331dcaddc021dc8df911fce8c85f3b

SHA512
0cb348b195511d64669234c4a1ca36f716111f07a466669440c6c7632d35e7150f2614e9162bb10e172dcf78eb853e97df44d0e38ce8389ade904a54370c599f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
768KB

MD5
e2b73d5e720047971fd26c11fb355a72

SHA1
c72b4d224882afb907be53d9e2a71679e7da68b4

SHA256
0884b42e95e185068f814a52b69f10187f9a0605913a6a8eeed117a5bd17b9df

SHA512
58980b1435c79378dc580f6a5bff8663142fd75762190b4bf62e33f68ff64d58ab80cb95127cd1d3708118510014b4488cffb3aafacac9334cef5a0b9009577c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
768KB

MD5
a5475479e158e7cb66b82df247a22be5

SHA1
cd51739d81b72142229a5c9590e71c29ffd3dc0a

SHA256
ef7600f76ee37a5a33884c8a51f8850522e952bea14c42180613f7c85d1ed42f

SHA512
b277ed0c5af7b9c44fe161c192257697286c51e79aa35f7252d6758be4c685d5403e571e7964ff52244b21fe8be12661859fd12b591d9b17a69e86a92c5a636b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
768KB

MD5
367e3e0cf37feb1ae92ae6ce8b2a5c75

SHA1
4e66aa21e12c2f0efdfa94bb25d0eb2de75c09b0

SHA256
14815a72fdfc36228b9e1ce756bb1cf454cecf05e7e12a0bb2d3d56fc66b6bcd

SHA512
e4d1babd008466e3f1fd961c9b5445ab14a57186b731d15c78581f4389fe368b890511eb6f0ebd4aba024f74b9a62315282035d7f1be28551c632fde7134edc8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
768KB

MD5
8fb3fb778e3a2d746c78ba8ee465e1ec

SHA1
5eac3cc33334c9977b3bc34659bdf71f5010d72a

SHA256
0ef98153d39d650c42a9f41d6eb22c180ab0b36d51a4037b723b7fb3ccc7d238

SHA512
c2af1ecab5ae1624653df29adaa447d237476b5c3a9cc7a83a101b8f94ac674ac950b91bd50240c44d07e638a604c8cbf51b7c9d3556fdae9d72171966fa97db

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9e10aafbb4f713a5f1f9b9df1f75dc45

SHA1
1a6fd27b2d918f0ebf65918c1c2c44dc09cf1336

SHA256
ff9aeb76acafd673bba8e380413411392c3048cd2e56e41070d6dbf003b615fc

SHA512
7084054cabdd124e62075dda9cb7319c8e31cab2d0abce0bc947c990a35d5d0cf11b008c8d2802b4759242420c6e6ae8d70496deab98cbce669a990b7745d2c6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ad8c189e472f34ea0e93362c957a4daa

SHA1
914879fe8bd16847f1bce1d1af7588dfe5c565a6

SHA256
2f067389d07d9c93687fd084857dc43eaa97c5c0f505961693d86f3d921d3e08

SHA512
9ec1528ef4a6db67875595754b551dcd08f32071ec8848d0d2668f7841b1ccd0195cd8b0e524f6ec203c286e2967629604fd9b0d26824212723499bf4682bfd3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aa617e488c99ce23f5db1f69c8f4106e

SHA1
836df79fb8341967cf0874daaaaac3842942c1e0

SHA256
9720135df002553b6c7b0a841438d32947299ef9c7ac85e837c2686e8459b2ba

SHA512
15b4e45898fba0350a931a81725e112bdec2723473a3d5417aa002dcdbc8413b30a1da9c08e46f309dc0488b65218e33286464a157181117ea4eed917fbd9256

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
df3102a55b8a821e0dccbdda74eb83a9

SHA1
11b3ebfa7717a3fb3d07fe68c860d0e1558d6353

SHA256
206e477ec256a012970c6799a6e45033cc36be28bdaee6c88c1c8281b26d6096

SHA512
704140164fb18fd027924266f5e81428b24468efa1609c4bd5f55f2e8ee30f2be8f3733def6276080b71028bd2daa19f01f379f0fb51af4c6dd33d5fd124c8a3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2985ca5bd063eca0cd0df6e3005b3b0a

SHA1
0a139a042d9ec399b53f230713cfeaaf330001c9

SHA256
f7c4c1170142d9d43c5da79de92cedfccecb6d2184df266110a4e90bc80fbd8e

SHA512
7d1201813c3b4eae11a5366b623d8e7c9d161eef0c662d333bdf4aa9d4f428173f0c39fdb170fcc61389a68e4fd6529d724960e07c30833f7966fe18c69de5c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0e7f843b0cd5eba90b72c580373b2ddf

SHA1
095a22a508c01a60bd8c47319c362e6cd5cb74cc

SHA256
bdafa1df8fe3e3b1a8010f18d0fbdc41c64ed556e73cb60c00a03be655b72236

SHA512
9b522e274811a2f6b90a950c3e83ad4c35c400b80e260f803d7c5359db876f227dbde95f6dfe913952d3d3bf9dd35a377af7c4186eefa798ebbabb5fcc418f31

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3ff58face22a1695d00a06095029af5f

SHA1
174a4c7c62d553ee609242e998034c03a42969c3

SHA256
11fc2d7f1ff99000ddd8fb7b02be4ef42f94346583966def1d2078851c220178

SHA512
d2f0cb19b4f55e47e8066ae0950c04e9986877305b3aefe254ffef778d921e93d2e33275ccab56c0b4b27873266b1216f18db02996519f5e287c7fcc4fb2435a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3ff58face22a1695d00a06095029af5f

SHA1
174a4c7c62d553ee609242e998034c03a42969c3

SHA256
11fc2d7f1ff99000ddd8fb7b02be4ef42f94346583966def1d2078851c220178

SHA512
d2f0cb19b4f55e47e8066ae0950c04e9986877305b3aefe254ffef778d921e93d2e33275ccab56c0b4b27873266b1216f18db02996519f5e287c7fcc4fb2435a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
be8654b1ce3b489b675a2c3658ee0954

SHA1
cd48fdd7d4a544a364779d9b16870f720ec81b6c

SHA256
83e00e2c16dc16d8b300ac0c684845776c76462de023c49ab6cf45af409e5dec

SHA512
f0e3a83065e53cd8eaa8d0e6369e8ce4070872d3a06b6fb82610541d3d3d3229df2e9c8cc585090d97656797c33e7612ca5e73e0582e0b916b183ab4ebc84d14

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
894b7c7e9e2eb829e4304cef7662833d

SHA1
54e65f4b4da468b4ae24212f7784e8363ceb4535

SHA256
e14455feb46109a964b6052b69f0d6d46dc32f621576d698f2eb45710bcda8ef

SHA512
8a630733f45785e2778bb1e980f3334b32a4f7681d33093cc99cc0039895ab29f71982ab28acd1756e2e04ff001a18a87440f2367f53dcb464bb21188ac46c82

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ebe33b505260bcef26a3596f6a8d9cd5

SHA1
61026fc1f8d1e610416a7f25c81afef14e50338a

SHA256
4a25e3869e2baf417d4aa3d5e5b0b860aa9294be9d2432498634743fb292fcf6

SHA512
f927a33d35ed34caf9dc026c6f12f0a9bbac4301167b032825519648fe759a15d183e28074fc5a8655fb084ebfb5cc2e1d081588778a2d559d0a1a2c92827f9e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ebe33b505260bcef26a3596f6a8d9cd5

SHA1
61026fc1f8d1e610416a7f25c81afef14e50338a

SHA256
4a25e3869e2baf417d4aa3d5e5b0b860aa9294be9d2432498634743fb292fcf6

SHA512
f927a33d35ed34caf9dc026c6f12f0a9bbac4301167b032825519648fe759a15d183e28074fc5a8655fb084ebfb5cc2e1d081588778a2d559d0a1a2c92827f9e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5e30eb31ef8729e1dcfb7b466cccd3a7

SHA1
a85dd858885280e6b955bfee9581dc5495ee8d78

SHA256
da8082cff48576836493e3cace60179decbb649887829881ca654139974a0189

SHA512
d1d2aced0c3e30d6ca50e24ca4fa3120b23e66ef2669a6dd6bed62908b5e397115e1a2970a0ae09191e313b5be935bf970c676282c3bb28dffd7a6e995e6cfda

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ae94e59138a01f29d64c2ef614e8567f

SHA1
1a685e0d758ad1e18a63ebdfdcfb4627f9371897

SHA256
ca6f96c8f4ceb038a2aef66d85452be72d0ca527a22128c7c042813d7b0f1c00

SHA512
6fb26afb5835cb23d2a89e4dc48b772b595ede3687e185454d4832beea38cf998e51a91cfdae216a9294fc86833df3adde0e8eb96c8b7c68675b7d93a799e9d4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a2c677c4959bb79f4279eacf3d5b50af

SHA1
b0dca99f36ad961d4b642d3a06aed33f9b1761f8

SHA256
e566af3f68cfbef3df0e2e0951ccae73838ca6f7a0cae61e666bf02e7785e854

SHA512
2410b1bce25bca28f50cf357033e2986f9f97b2f923bfebdcb31a2104f62dd4c743469bb036be5c01bac234e1b7961d0b69bf13937fc0dd729a7a20d0b1a82e7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
10ac1761870a78e0084498b64db908a0

SHA1
210ebfddfcd6e9bda5bf188887823750aadabd49

SHA256
df3825cd1af4faf9bf9f4b5e1b265d04363211773e16bf5280c4b008496b96fd

SHA512
5e40a7124e2b5a64fda97febcbabe669b726a8450ebfa390e743bcfc7e0d6f89a32cb9b334a7059826da72db6cb96a02c0fe09672c8ae8214d2c5318799bb31e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d50606340fd75385a13dae9d905b02bd

SHA1
1e17152b82f8761fc374004b1908026135e50830

SHA256
bba9387b6a45b962223a52ae713e86e20aa49fe65df39a5a720a9d1be711594a

SHA512
b22832ed29152d1a82a8c8c469823de50509179e0b7381958831dbecfbdd27ab362153f092c275e053bb21c0a6ae7cd5df65e85f80437956e6101f526b6550ba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cd5812bae5c0d413397b44ef164eb03a

SHA1
67dc2b70fcd6ca200435dc9ddb6c074d64d880f8

SHA256
eaf639ed5dbbd7e3041902189d20694013226ccb881fa14a2f804b02ba868a7f

SHA512
10d05b5a8f44ae0f1c65339b6bba3e2119f06fd706dec361f8d77bedebdf5275f42562dca41fcaf13bac59ddd7cd631432f250a6cdcb05ba7cddb2cb7fd85244

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
832dc56103c28b2c6d331d2df8545df4

SHA1
0de3e3c3e228a57331d89765dadc7e276eb42032

SHA256
3623d9290fd1944c780111d921938edf5d491cb11e4f494a9b8b4fda4db24014

SHA512
3657d1e3e7bb552710fee87f69fa7a77e1d7c2da4f8e347f08fcef3d1d0db153a7005df50c68f61452c8ad3ff0116c90cbdc05903f79e038291adcaa9b59a3f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f5bfafb55618b75eeda96bd6714e6197

SHA1
aecac098124e292033a0d24dc1c253e277e48260

SHA256
a22d0bb337e23c1af3a41551db7fd0f573cf3dc57bd86771de2c13f16f9c33a5

SHA512
a71002c3c068380e2f515b0c665526a018b5f169491f5ba15458d0272ff50b4ec58c139f9bcf7a74a733e37fe1d5ca8d0d9f0bcc0bd74b7160fd97b732f77a65

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
53d509f4b59a12fd23dcc9e2a885e33d

SHA1
1a4161a7742dff3c2b5326dfcedea124c9e0f64f

SHA256
a6bd3849c80ccceba21bf37e730eccba608c060632e0108c05f4c3a4c935ef4b

SHA512
1e4917395aae03c18f0d46f195770dffe4c61a9acd91ad36f19e312772cf773cd22fe7146e2c4e53f9288ccfc0fb792c6ea43a31f4f1638a855ec8e3d362c415

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
aa617e488c99ce23f5db1f69c8f4106e

SHA1
836df79fb8341967cf0874daaaaac3842942c1e0

SHA256
9720135df002553b6c7b0a841438d32947299ef9c7ac85e837c2686e8459b2ba

SHA512
15b4e45898fba0350a931a81725e112bdec2723473a3d5417aa002dcdbc8413b30a1da9c08e46f309dc0488b65218e33286464a157181117ea4eed917fbd9256

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f2ef0a5f6769fe66249b80c25020d9e0

SHA1
e7c1d8e78357a2306065b4aaf32853db9e046dbf

SHA256
42aa43dbc7f2dc7d09868f84d6df49292a4969da34e75f55816ff31d1db1a215

SHA512
d279527d159520d7f75f13d2df6b456a1c0ba09d46905e7d43a80725c60361376550b596a6985fe71e46a036826317cc0ac1363fb55b37fce63825470ef7b8f4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
232ce45659dd3f8c1f594b9426d7b094

SHA1
ee0e845e8fad46ff8bd747296936722bfa414fbe

SHA256
81ef6b34cda629c2be91e727f0cdb2ba979292eb4a2e923674f20efb6bb76528

SHA512
0738a68202887af34db3f9f1514a7b480c5fffca5a886836da2f8145935f7bf7454cbc3bef5a2ffb0b59cdb96a5157266e96700630e555bde382006155f93325

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2985ca5bd063eca0cd0df6e3005b3b0a

SHA1
0a139a042d9ec399b53f230713cfeaaf330001c9

SHA256
f7c4c1170142d9d43c5da79de92cedfccecb6d2184df266110a4e90bc80fbd8e

SHA512
7d1201813c3b4eae11a5366b623d8e7c9d161eef0c662d333bdf4aa9d4f428173f0c39fdb170fcc61389a68e4fd6529d724960e07c30833f7966fe18c69de5c5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
fb9b78ef67d57097bacbc0e98250346f

SHA1
5e20dd7633d22a1de4318a0849e4743e4bc77dae

SHA256
6b2d07cb1e6788182697b64a99ef75664cede490c649bf3468d04869e90f5549

SHA512
6b9009d7ae4846642e748788c7925b317c3b1a923f04b975ed28125cb5fe9dc141870a93417a74cff8c4800852b5d3ece0e77919515feebfbb62196e7f45b733

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
9956a9fc5c4bb55bf4cbf79e0e9c62b2

SHA1
5df9b46d13593e04cb9b1fbe99f96c1eb2950bfc

SHA256
e64cba04db08f834797037ef0193dbb282f28a9a35776000907e1344ea3b5f4c

SHA512
5969d1d3cadeada553a4fd36d856e5eabaadce3c583795158c7c799324b6eadbb7a290a7f013a956dbb14a57dbddd45b97b9e83a52656518fe223f9f868196ea

Download Submit
memory/540-304-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/868-170-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/868-176-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/868-181-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1116-360-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1704-359-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1868-234-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1868-267-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2188-417-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2188-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2236-326-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2236-611-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2456-271-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2460-310-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2460-610-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2684-269-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3052-156-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3052-163-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3052-164-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3052-475-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3536-415-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3536-658-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3616-219-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3616-225-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3616-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3616-228-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3864-585-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3864-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-198-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4000-183-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-180-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4000-200-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-188-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4140-215-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4140-571-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-208-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4140-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4180-357-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4320-302-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4532-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-651-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4536-382-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4764-149-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/4764-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4764-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4764-144-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/4764-161-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4764-470-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4808-192-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4808-206-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4808-550-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4808-202-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4884-196-0x0000000000BC0000-0x0000000000C26000-memory.dmp

Filesize
408KB

Download
memory/4884-204-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4892-671-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-669-0x000001C07D100000-0x000001C07D101000-memory.dmp

Filesize
4KB

Download
memory/4892-708-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-675-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-674-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-613-0x000001C07D100000-0x000001C07D101000-memory.dmp

Filesize
4KB

Download
memory/4892-673-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-672-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-711-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-743-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-744-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-746-0x000001C000030000-0x000001C000040000-memory.dmp

Filesize
64KB

Download
memory/4892-745-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-670-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-612-0x000001C07CF20000-0x000001C07CF30000-memory.dmp

Filesize
64KB

Download
memory/4892-709-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-747-0x000001C000030000-0x000001C000050000-memory.dmp

Filesize
128KB

Download
memory/4892-643-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-642-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-641-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-617-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4892-615-0x000001C07DB40000-0x000001C07DC40000-memory.dmp

Filesize
1024KB

Download
memory/4976-133-0x00000000002A0000-0x000000000040C000-memory.dmp

Filesize
1.4MB

Download
memory/4976-139-0x00000000068A0000-0x000000000693C000-memory.dmp

Filesize
624KB

Download
memory/4976-138-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4976-137-0x0000000004D20000-0x0000000004D2A000-memory.dmp

Filesize
40KB

Download
memory/4976-136-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4976-135-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/4976-134-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download