blustealer | e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI-12042023-02.exe
Size

1.4MB
MD5

00ec65f5667134941484ca7ef40ef167
SHA1

e2aa6f59e21c3d69fe09e036a0db32249739874a
SHA256

e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497
SHA512

d4f09ab5aa9fe5f5ea4429c6dba4e45d3021ffd512148df900bfdcfb3d91c28ce9cf7638f18e857fe913bffac573db70586d6261474813b4baadf4831bf949f9
SSDEEP

24576:X4Ze+gp1yI/aLxE5HY9qzZyQ9HHgefs+LbeFgEC/fGKhQ8mI5EKq:7G1E5HGqzMCg3geEXGk+K

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1200	alg.exe
744	DiagnosticsHub.StandardCollector.Service.exe
4736	fxssvc.exe
4972	elevation_service.exe
4892	elevation_service.exe
4952	maintenanceservice.exe
4624	msdtc.exe
5100	OSE.EXE
796	PerceptionSimulationService.exe
2096	perfhost.exe
4792	locator.exe
3544	SensorDataService.exe
2796	snmptrap.exe
4256	spectrum.exe
5104	ssh-agent.exe
3520	TieringEngineService.exe
748	AgentService.exe
4936	vds.exe
4384	vssvc.exe
1824	wbengine.exe
4780	WmiApSrv.exe
2024	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\locator.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\365699712f34055d.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 2792	1560	PI-12042023-02.exe	90
PID 2792 set thread context of 3616	2792	PI-12042023-02.exe	97

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7275D8FE-3105-4FA6-AB36-BE5FAD0C0F2A}\chrome_installer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	PI-12042023-02.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d14abcb4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed6c10d04e8ad901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000832094ca4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe0695c94e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ea076cb4e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e35ae9c84e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d286d1c84e8ad901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000567e8bc94e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004b321ca4e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe
2792	PI-12042023-02.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2792	PI-12042023-02.exe
Token: SeAuditPrivilege	4736	fxssvc.exe
Token: SeRestorePrivilege	3520	TieringEngineService.exe
Token: SeManageVolumePrivilege	3520	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	748	AgentService.exe
Token: SeBackupPrivilege	4384	vssvc.exe
Token: SeRestorePrivilege	4384	vssvc.exe
Token: SeAuditPrivilege	4384	vssvc.exe
Token: SeBackupPrivilege	1824	wbengine.exe
Token: SeRestorePrivilege	1824	wbengine.exe
Token: SeSecurityPrivilege	1824	wbengine.exe
Token: 33	2024	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeDebugPrivilege	2792	PI-12042023-02.exe
Token: SeDebugPrivilege	2792	PI-12042023-02.exe
Token: SeDebugPrivilege	2792	PI-12042023-02.exe
Token: SeDebugPrivilege	2792	PI-12042023-02.exe
Token: SeDebugPrivilege	2792	PI-12042023-02.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	PI-12042023-02.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 1560 wrote to memory of 2792	1560	PI-12042023-02.exe	90
PID 2792 wrote to memory of 3616	2792	PI-12042023-02.exe	97
PID 2792 wrote to memory of 3616	2792	PI-12042023-02.exe	97
PID 2792 wrote to memory of 3616	2792	PI-12042023-02.exe	97
PID 2792 wrote to memory of 3616	2792	PI-12042023-02.exe	97
PID 2792 wrote to memory of 3616	2792	PI-12042023-02.exe	97
PID 2024 wrote to memory of 4980	2024	SearchIndexer.exe	118
PID 2024 wrote to memory of 4980	2024	SearchIndexer.exe	118
PID 2024 wrote to memory of 4396	2024	SearchIndexer.exe	119
PID 2024 wrote to memory of 4396	2024	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
"C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4256

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8f3c24db26d40980f78fd1463be38893

SHA1
cbc65e5a671f244447f69559085a461a4e23f680

SHA256
2e7af7d5b124b647d6fd1c342704864ab9f101e8e5da576bb29f750cc5ca78b7

SHA512
9c49903213a88f140fb678cf18a2fb09dc060e932113ebdede697ea3d38826750062a6457f68485a6c384fbf0371b0ff9ba30019a93ca3110ea7a39c1df8c3a4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e1f1adb6f02223d09eacf521aa7f9861

SHA1
a57cc13d6ce3fefb9c91d455f6138691780eb9e6

SHA256
c1590475a66ae4ba60ac7c9049e9f2a295467ba95beb289f183f4283eab897bc

SHA512
d12d5b22be8ebe80ea43e10f55092753aab44589a35a510e1686a253b1bcef7a0d3feb86af51c90d79af0b350641775e8cb5976ee59283a6f70c4fa62cb581f9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e1f1adb6f02223d09eacf521aa7f9861

SHA1
a57cc13d6ce3fefb9c91d455f6138691780eb9e6

SHA256
c1590475a66ae4ba60ac7c9049e9f2a295467ba95beb289f183f4283eab897bc

SHA512
d12d5b22be8ebe80ea43e10f55092753aab44589a35a510e1686a253b1bcef7a0d3feb86af51c90d79af0b350641775e8cb5976ee59283a6f70c4fa62cb581f9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0c7461a09b4677be462a1eed88131e6e

SHA1
2c650993ab7ae7c607bec35c63666626bbe8d206

SHA256
db8040e8bc61bd56cef70fadf5a95939822a6928e38c519232f4e55085fc365a

SHA512
8cb6090641fa5ba317615520f688c1994c654f83ab8df969f6c14652d58ed20667e63939bbc1b22f23ea2bd7d5c2ffea5cab2ac8417ceca25bcece20875af686

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
04af31046fca60fedc396b3a677cb0d5

SHA1
ea6004625718fff53278141305f24c149855ce8f

SHA256
7a03863cf6a61d3517c4734f51d0e064be3d1531c9940ac67b7f0c3db2ba9da4

SHA512
38f5659fab32e1c4f4c4dbf71d2a6722cac07713b144c5d7a4c653ba40773dbde67a1ab528f81549394ea44c35cd013c9cdf0444e2e641e286a4b3c379052b05

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d37ae48a5fc6880fdd08618873c9c3d3

SHA1
ed43aad73775907c141874607dcd256d407e0a7d

SHA256
bd701c4b330a5b840dd9ee17657c0dad34e548688cb41a0af4185a139de36d2d

SHA512
78d4800f9b3612fbdf4effa3e9193bc4a6014fb82ad62eeb3b3d10b21a509d8c5cad24a2192e8e66730a0902e8c0baa65f7458bcc97f028124350dc64672b695

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
916e06362d97a2e00792122c224c2874

SHA1
5e156cf1392b7a129b16bd063a75455afd8306a4

SHA256
f26e3e541a9ccb14885bd1fd3dc40e6c185251b02788194c9134d606516a6d5b

SHA512
0ac2c47ed4405caeca1da28510f251dea00b840c8bb41cd1684e48c7e24e4f1113574c5d51400ef8abbd398db5902ef837465441c2335f81b74718e0a07d360e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c53511ba02d204f9c8bf65c73c56e99b

SHA1
41fd9cd21a7bed12c75e9b07e23baa00ede3efce

SHA256
c7c7b2e332bff85f3c7175d7ac05b22b3c8d1648ca5aae144527be6143f5c2c8

SHA512
9a7818adc0728aaff309588594fc83b913dc585678feb2878ff793c2e6b3412e6d0aeae47b2acab762d26fa7c9cabb228f1b7a8925bba3187757b72b7e700757

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b78e83bcf724050a49491b759d9f379b

SHA1
70d4848a2d2bf429fdff14d84ef8b2d48fa45695

SHA256
ca9a0d8a4d7c68ae2790db484a30822a1c8a1c3bf2ea4d7c8b09cdf03ed1f45d

SHA512
5149b551b32150b08540c16294e78ce8008cefb0194034858a3a905a8a011583ae1d716ef8c59e2a82c9cb29112a46f5b7ab9408f20601b48be911226f20256e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
417584c0683f973bdffbbe3157f15261

SHA1
68ecd89e341deabc1316b6394b6464a0b7bcf4c2

SHA256
18134653428bf5c34b438bf0e81f23e5e07a368164f8a9899a5f33956337b435

SHA512
ab0d0c44425e93981548b78e5b33475f70e5750d810c68b7cebc3a7074f7e2a0f710ca6326c903ebedc03253f236425d591e3587c6ac1a87a62aee6a38a5cad2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
7.9MB

MD5
360bc6a9bf99e1ee595c037678754614

SHA1
bb39f04c96359d2f90560e8ad4d1e5a5d40e2ec4

SHA256
33b72532f95bf42384f560418af8c37f6e3933e79d72fecdb99b8b9a52953532

SHA512
fcfe200d9073657691599767d447859a2ac87459419656afb6d0a23ed1e52adc397e36db44d25928973cc40a2e21458332027c9cd2edd6605326d0a7ceb8f082

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6ce5d33db7db920b0bd0d7cf43aca4d0

SHA1
32972191a5d954f68ab386850367b933550ae7cd

SHA256
07c43d04aa1def5558ce3c20da434255e6bac92ade64e89cf4591fe0bb2da398

SHA512
44d0c0e93392472c21ded520dee5558d135f5626ff5e6cfe26fd2ff1f9de726f8e454882e7466c068ab2c7038e6eb33bf9232f8222586a6a6eb7942bff38eff5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bc9c9b9f9dca71e24705348da972385c

SHA1
4656af6bd1bd77679a652dcf828e74940adff4ee

SHA256
03cd75503de94ea53b73db3520940232a572102aa7876a89de80334caa0815b8

SHA512
e9ff2d0467e7fb724043eec0bbfa621e069dfa964dadd1714452c53e5a5859c019d237c2bf944458860e9595e3925e2cd84020be7f39bac83f439588ff8d6962

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d3eb45d60eef1699595fec5a06f80b25

SHA1
ca1b021a91d5d91c03a905ce221e6882d01db6db

SHA256
d7383866bc4fbfb876ca36ff1c8009639732416ee35795b29832594617999583

SHA512
24f138587a61d53a03c822a193840714549761dd43b61a41e7ac3e41d7c6c64548f1cfb41afec0f294a8d522e2571c2dfc98f5801b70bdf16eeb3a4cb401fdc4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b1a7a4bd81762bf316902dcc1c628328

SHA1
e521aaae73417bc9b7c29eb3452e918949273f47

SHA256
cc549b0ea7fcf89f1fe9f5a215e20a02b99bec2105239e8ad057a37322bf7eb7

SHA512
23dc4dbc9e948485ba5cc48d75e4ecd65883668c033470e9cfcecf05aa63c10fa42f5537f3b3c84141f5efdb0e2c47b696081423b1f59d9bcaabd5685e0380cf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
832KB

MD5
4125e07883bac7b6644b28ee7b989a9d

SHA1
c6a41e38e49a24efb2e976ef14da277ff9b5cfc7

SHA256
932c03f94aeb673176b1de331ed59a7a95cf5fe156db4dddc13d22e250930413

SHA512
3000b212c64d42c7046a5b23e797e47f9683f320274429c22022517a33a0bc4d956bdb182ff89e021081d3910271943058d806bfcd79487fc8de30c317bacb5c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
832KB

MD5
398f762a99ee185caa76b8b99add224e

SHA1
98fa3bede74f03fe33445dad8096ae610acce2e7

SHA256
b754a18d8f34a74b9211c1472968e9214fbacb8f65e90344ede51246a9ac72e4

SHA512
829b9385e184ec3b45d19b05fe3f2cb15d94c48e22655839673f208548255b1b746e6754829deed87e986db78147a012fb3556e846221836befeec1d63171f90

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
8718e55883e46ee87fdf69b651fa0bfe

SHA1
1a79cc02e165a01d92e912edd9c48fea1f89b748

SHA256
d14adf854280ffeeac7ebf5afcd1bec491f6cc335fb63cb97f37399ee2df8624

SHA512
55f974c436427d1a361b3752c43ac6a7aaf263cf241557d554f217ec5be8e8c584c76e5b671d7a4dfa268653fbfe89e4fd6577602a90e04ed419ef7b197e1afe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5f7f4ae7546ad223d537b9933af3e8d1

SHA1
579fe4994c81a6105939d234a3b5cc6d469f0737

SHA256
05ba5d4be34d20b39979da447d1ae2489999c85af24877104ad73f38e20c3c0b

SHA512
28e79cc3cd8a09f2588bd439720a80429489dccdf9e21332fed36776194895a9082997ffc41bd7eb7201f1f72102c673dac4ea1d2f8acbd4be3acddb50121907

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
807KB

MD5
4643c129a89140c2745b302edf463490

SHA1
e2da386cedf550799ea3c17df4d79ba7f1db41d7

SHA256
691896655a41138935f66290455f5e641a2b7817bfc2bfb06829e0ce0919d828

SHA512
363c64b598f770f889a5cc499997e4402d0319bc893b4007dc4d6e70b21926dc2b6519f2e68166e761911585e3b4dc5c6676b47dac02026dba095f99eb8667d4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
704KB

MD5
228de2b4f130a6d46b564dbefd0307d0

SHA1
d3763b25420cabd72710fad74669e2061c6a7f8c

SHA256
837392b5ac156761f27e081a0733a05c9d97a692ae28e83a0f702da506c0d115

SHA512
9287010fe7e0d8af2f9811500b7b6727e7cebe18c17f81b79bf23bd6238f0109e5b83e0e78a80f2a7802515a80e4a32dbd871adc8c20049e5bbbb0d24d011d47

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
642bacdbb1ac6bd2ef30aa7f527f9e84

SHA1
d75f559ea02993fb575537c0ec769773279ab0e9

SHA256
c9028f3a6b2787dd716197442d1b05f663887c5d44b5ac2113e9e63e937eee62

SHA512
8b65a5847d8229436a6167d5b7ad47d80ec63cc5975cb818e60fb23b4cdc1a17da310d29086a89bfce18af1a7dcbeb03a2d7a821b33902e4d1a2be7d42a63677

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b5aba3789922afb5fdfc5791b432202c

SHA1
5999692ebc131bbc9aafa78465de6b97628e5229

SHA256
4bada6c0ab43040cba5a7224f1f3c156129a8c145dc9c01c2e6adb707a85dced

SHA512
77a4de29d0584f8994a20ac8161dc0b6b032cbf677208986c15cfe971efd8e7994ea747ea7ac6a6b7e7809cb02b46df44cd536adfdbafb7bb5d43fd3b42ca81b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b418489439e7722d7dd4bce631163828

SHA1
d77894a2dd6d803288da95a31de6d5bdd24cf44e

SHA256
16ba1091efc1f8e4d4550c08ca1e362781107b87367fd4cb50e0d7f8b9bab9b4

SHA512
20d1d9c568c7606c7c6fa973bf575f90f1878f92221173e9f7b759debde0674da3b5499a7a65b92d0c9efc2ae5d7a4cca23997a43eb9499233c7617c0d9e6afe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f8184050d95b67b58e3ceb1ecba8f55f

SHA1
c9be7482df8f8248a6e2ce0d7c31d16914cb4a10

SHA256
f9ec6bf16e9840710451bdbc670bd3a54c46e546b84e7af6c49282000e75b881

SHA512
c31cb40ebcffacabe6512f9dfd42faa531c5fa5e6649771538049314142436d88eedccc0d0da45a9fd2797da41a7eb4253189212e7f5b2a8f468ffd925b87185

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7af4264d4b78b2237cec3e9d522fd638

SHA1
8b8a2e7ecce56d7f84e7265748422bed8a9accbe

SHA256
d7b51cb7927956c773ada4ba8b61d24d8b33e5e3e635827bc1995f77cbea547e

SHA512
03c6829f7936cddcae9cc749de489f5a0abdf27f15b2aeef9be5bfa7c9d8a38a54b0a1d2dba12374bd70c8df337213b2c4717ce12a11928536ae1fdc43fe4aa4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f1fe8d19d0e717f768d72671f0cda063

SHA1
885f1c3b20631868a480493d9baf32be9d4c34b3

SHA256
a2c4efd1f05f862fb8ab8fae93261472627734f33ddb4355462d15e903838916

SHA512
d628d5ad3131646cb484e32a6f869986a7ce53881f9558a5bdd046d759d827fe028219a76a363dd15a9f48ddcb2a7a03a8af5b3f7209d70d43801147d28b9377

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
41238e206f835cfc0b79e94982874448

SHA1
86412266005c2d656ef8b6f1e5022253b0eda5f3

SHA256
c4a0e351476cfa3c1d5d5eb902452a5e7f860ea71e9f3b1ad1b40607e9a93635

SHA512
5c73f881f04de482c9156423a942ade418aceb3b8ae6983d5e324a65bb20aed37e227b2797e8b699ac5f75ba8ce840acefbd85eb1740d2bec4b061b955e10fae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
41238e206f835cfc0b79e94982874448

SHA1
86412266005c2d656ef8b6f1e5022253b0eda5f3

SHA256
c4a0e351476cfa3c1d5d5eb902452a5e7f860ea71e9f3b1ad1b40607e9a93635

SHA512
5c73f881f04de482c9156423a942ade418aceb3b8ae6983d5e324a65bb20aed37e227b2797e8b699ac5f75ba8ce840acefbd85eb1740d2bec4b061b955e10fae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bda0a0dcffdb51e6abb9775a1f0d3689

SHA1
9412211bc929f6413492020d6058d16570c5d2a2

SHA256
6f15027184b44e7e10fb05b6c6b95b4642a37cae8d1f90c8359f31f34878116d

SHA512
6876872096f9a6b169f607ed97d15ff71193522e3e732d85e6c3827595a0c2f4eae1a98db256a64ba1d72a0390a62dea8682f243a540a12466740ffc0167f0dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
390823c2405720af359194cd6d4856f3

SHA1
bc2b8554d4fe2d78d44b73bb414f4db562d95e5e

SHA256
93a840a734c88078b56b14f13dbe281348036455b4fdea44f9675b8cc668b40c

SHA512
9cdcbefb4577f5195322d1f7c87ee3d3779ebb78a838240b206ee005cdb54ba1d0c42713e88e8de382fc853df3b9104b737bff012ae90ea4e8b09a92f714a932

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c5d049cea3acd8a94dd615ac2f35e3e0

SHA1
c4b9f6325b43ee89973505da2083580cab12c120

SHA256
6833747e20664134517855f390b6b7b44509e03df816bc91e78578e312832e3f

SHA512
23c4d989b756926fb5c53366f5b40fdef3536f1cff3928977e3800c2d76beb31ccea5078f0d8022fb8b0d258840b495186f578988bf92e918b4221de7573dbd5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c5d049cea3acd8a94dd615ac2f35e3e0

SHA1
c4b9f6325b43ee89973505da2083580cab12c120

SHA256
6833747e20664134517855f390b6b7b44509e03df816bc91e78578e312832e3f

SHA512
23c4d989b756926fb5c53366f5b40fdef3536f1cff3928977e3800c2d76beb31ccea5078f0d8022fb8b0d258840b495186f578988bf92e918b4221de7573dbd5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dc77cad5ddf86153d34aece15cd3d750

SHA1
a6468e7b4f172381498afe77b82aafad3c4dcad1

SHA256
511628a3a487fef608e32825b92f1ec6c15c105befa278729989f2073066e2ee

SHA512
79fdb1d4819a3d75396ea000893a6a59d6972a1ebbb3af4a6f9fc6c52410994964ec2a5f2461424f0d493faa12e04ebe9e63f0998f2ead4d6755a6ae78d4068d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4ae5195357b9178c40c395db6a8de522

SHA1
3bf9d998a90bf195f3c9697b865f1f6f5f9e925f

SHA256
c60ea25eb769a6214f2c162dd8bec4a5d440a414af60fa623b375bccad969397

SHA512
0ac45d579011b855f42291729b078bcc0b8a06e664673e35f9622b4a4f4463a06e5a7cfc246e1fd732ee90f762dff644795fa9c1a844e26f80b73f5c0267e778

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
576327630ee4f22ab96b7d7b61e48799

SHA1
0fe527ceca70f912aedeadaff1562bc2658d05ba

SHA256
20ba3e4ff5617321bbf26308dc5c4136e960a175c4cf74c2676887cad27ae70c

SHA512
24d3c97eab3e8892fe423d7036d22d5abd3cac786514633bd8062d7f4fc42deb48a21d0f5998679722a96e6aa5bdbf32156a4fb89c00134ddaa0f60ca0d75c74

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c222215666497c1000c311a9afb1fffc

SHA1
c0648a589032a39fe50199e8768f0853d6aa1ef3

SHA256
17f982a73fcd3babb95bc79d17953b3eca4d558745a4035fe5006e42e17389e3

SHA512
248e545901af170bbe6e72b3340be949558049f35dd7e0e0f63e50ae7859a77a25cf76c0ae190ae1080e888713a10736cda33c2a018e02d762709ac86ff50bfc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
182b93e4487338891b9af86d534d17d4

SHA1
7bc731861a2630cc3086fdd24b69fdfd49753604

SHA256
b7829a4aad593942a5dc1954a68dce6842bb6debcea911cc9f733dd931935855

SHA512
01ace9be1a18654f4e2e3989b7eed9d702173d440ecdddebf0c18f58984138dfb85511399097a80ef10cdbcaf0f65a419c7148419e8391c6e41d459b46f8d403

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f84ea8cdf47f7b65e718f5618910906f

SHA1
c673c7518b27dac06a84b4c32816acb3aac54b01

SHA256
b82fccae62898e81497bde17440717cadb3b2a68f78d908501a1b0eb270383c3

SHA512
be5b1c033bf0f7e0f61b9cefc6d150b26f54acf562bd2a0f96359e2d8a9d0db17bf909f10b1f61b55ec22bd1669483e69a319c9b37f0e67306e8ca88286401c5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0ef9d947ad84dccfff74ab2a564262bd

SHA1
240d4371dd6b46ef3ce2b2f7b2c53be9012abd24

SHA256
251ead0abd897222a5b065d420f02d690d469179b247300e475f9e4612e9bbef

SHA512
678963d7bc8de9afbdeae8e01e3892f079b5386c9d45319268bcbcd2b24f3ebcda07d1098d8d191dc59f093374273a7eb508e5518ce4b5ed7430ae03d91fff12

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
38fa0d94d3d52cb7fac0f117d36dc3ed

SHA1
6945a1b8961bc0638dce11cc50d4130f3f018fac

SHA256
a47876a4c47ad3a6ab53569dea5c9cd76fe11e0ba53ea44e39d733a09ce93617

SHA512
d620882b4857ddb543fb14009a57e3ce88eff21a368fdc45e9795b3d6f4f5790107e7a5e61466fe8ef60ef2d712949e9fdf8f588988a0834c5ba512bff538675

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
390ca48068f8590d65daee9b613eea9c

SHA1
64ccb3a1a6c6625f93e14f5327da0c6adf12d1cf

SHA256
2dbd2d0801f45dacd348de1c12ee93dee59bd5f96761e5a86ba7097eef277808

SHA512
51f04f11c90a32ac7627464674340d79f957becfa7fb64eb40337dbab85e9af3180dc1191dfdb6e85da6dddf22e26647d4cb30984aee94d5e71d007e95da7c92

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
b418489439e7722d7dd4bce631163828

SHA1
d77894a2dd6d803288da95a31de6d5bdd24cf44e

SHA256
16ba1091efc1f8e4d4550c08ca1e362781107b87367fd4cb50e0d7f8b9bab9b4

SHA512
20d1d9c568c7606c7c6fa973bf575f90f1878f92221173e9f7b759debde0674da3b5499a7a65b92d0c9efc2ae5d7a4cca23997a43eb9499233c7617c0d9e6afe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1d1e4d6bb4dd556dbf6ae071d8cf2d96

SHA1
2d701715d5700a4af7ba97bdf957d5aa532f8c6e

SHA256
394d9ae1c8ce00b808cbfa16b1828e2e1f666a9ca4ce24ffd14b77a632bd5247

SHA512
2383cf0604f22bb5dea06eda8a4b10ebc62e9c156cfdf41048a9be7ae2c036dc0f0f9a9cec088ccf71478377b0271e0e065ceeb5f97c3d2096d1990badd588ba

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
997578d6bf2064e9ccf5667a6f143538

SHA1
344df9d7dfe143a6881bdab1dcd46caa02d6e8d0

SHA256
dd864dfd06c58e63f4b9fb3ef4b0b6f6dde62d33a8cce39e1761a1ca3e71c92a

SHA512
70ba3a560947157bc12f4f4a478ee2311622beaa048e831fe091066be225d8b940003ad27599ec3b3de305a9a08add28c2ee394c062187719d75458d474733c4

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
7af4264d4b78b2237cec3e9d522fd638

SHA1
8b8a2e7ecce56d7f84e7265748422bed8a9accbe

SHA256
d7b51cb7927956c773ada4ba8b61d24d8b33e5e3e635827bc1995f77cbea547e

SHA512
03c6829f7936cddcae9cc749de489f5a0abdf27f15b2aeef9be5bfa7c9d8a38a54b0a1d2dba12374bd70c8df337213b2c4717ce12a11928536ae1fdc43fe4aa4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
5ac6b4b398362ce7fbc6151baf4ff9c0

SHA1
0206d40131cc037419c4e4df937f8e525ac76204

SHA256
78cd9da6c68a2e0075e5a1b43eb3866932268527ab56603bd97b8b97ad885356

SHA512
860919be858ff4a7b62dacd5570f12838f2547614cc94d201efcbc11a3c2ee503cfbbe8244d4d44e88c9c071b3724c2e63b5cb6077ca07807a4bfd3a268ddb8e

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
0cc58fa4008d057f5985946f2b0b0282

SHA1
79386af41440a2a4af25645321cbebf88154a85a

SHA256
cfe98f66ce590d9e44d6cf1d253167f7dedf97350926900aa0fa2257bf801ca1

SHA512
639f5ee299715b03116da432ed4adcf6b4d13b205dd3d153ae1f122279c72daef176d8c65a6dfa4e9aa3e248d1eb1299387821ee285fbfe4690e29b863e7909d

Download Submit
memory/744-169-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/744-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/744-419-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/744-177-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/748-359-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/796-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1200-163-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1200-171-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1200-157-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1560-137-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1560-136-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/1560-134-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/1560-135-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/1560-139-0x0000000008B80000-0x0000000008C1C000-memory.dmp

Filesize
624KB

Download
memory/1560-138-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1560-133-0x0000000000960000-0x0000000000AD4000-memory.dmp

Filesize
1.5MB

Download
memory/1824-400-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2024-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2024-423-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2096-290-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2792-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2792-150-0x0000000002BA0000-0x0000000002C06000-memory.dmp

Filesize
408KB

Download
memory/2792-393-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2792-147-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2792-144-0x0000000002BA0000-0x0000000002C06000-memory.dmp

Filesize
408KB

Download
memory/2792-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2796-321-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3520-347-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3544-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3616-214-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/4256-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4256-595-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4396-758-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-780-0x0000022BA3200000-0x0000022BA3210000-memory.dmp

Filesize
64KB

Download
memory/4396-642-0x0000022BA31E0000-0x0000022BA31E1000-memory.dmp

Filesize
4KB

Download
memory/4396-643-0x0000022BA3200000-0x0000022BA3210000-memory.dmp

Filesize
64KB

Download
memory/4396-644-0x0000022BA3200000-0x0000022BA3210000-memory.dmp

Filesize
64KB

Download
memory/4396-646-0x0000022BA3200000-0x0000022BA3210000-memory.dmp

Filesize
64KB

Download
memory/4396-648-0x0000022BA3200000-0x0000022BA3210000-memory.dmp

Filesize
64KB

Download
memory/4396-640-0x0000022BA31D0000-0x0000022BA31E0000-memory.dmp

Filesize
64KB

Download
memory/4396-681-0x0000022BA35B0000-0x0000022BA35C0000-memory.dmp

Filesize
64KB

Download
memory/4396-718-0x0000022BA3730000-0x0000022BA3740000-memory.dmp

Filesize
64KB

Download
memory/4396-719-0x0000022BA3730000-0x0000022BA3740000-memory.dmp

Filesize
64KB

Download
memory/4396-720-0x0000022BA3730000-0x0000022BA3740000-memory.dmp

Filesize
64KB

Download
memory/4396-721-0x0000022BA3730000-0x0000022BA3740000-memory.dmp

Filesize
64KB

Download
memory/4396-722-0x0000022BA3730000-0x0000022BA3740000-memory.dmp

Filesize
64KB

Download
memory/4396-755-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-756-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-757-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-782-0x0000022BA35B0000-0x0000022BA35C0000-memory.dmp

Filesize
64KB

Download
memory/4396-759-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-776-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-777-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-778-0x0000022BA3790000-0x0000022BA37A0000-memory.dmp

Filesize
64KB

Download
memory/4396-779-0x0000022BA31E0000-0x0000022BA31E1000-memory.dmp

Filesize
4KB

Download
memory/4624-544-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4624-233-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4624-235-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4736-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4736-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4736-201-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4736-181-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4736-187-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/4780-402-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4780-639-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4792-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4892-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4892-516-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4892-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/4892-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4936-371-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-606-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4952-228-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4952-218-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4952-224-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4952-231-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4972-199-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4972-195-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4972-191-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4972-471-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5100-267-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5104-346-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download