blustealer | e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI-12042023-02.exe
Size

1.4MB
MD5

00ec65f5667134941484ca7ef40ef167
SHA1

e2aa6f59e21c3d69fe09e036a0db32249739874a
SHA256

e0e677d03d49bc27c8575e7f2a4816aaf10cea4d624671292cce7e2eeec67497
SHA512

d4f09ab5aa9fe5f5ea4429c6dba4e45d3021ffd512148df900bfdcfb3d91c28ce9cf7638f18e857fe913bffac573db70586d6261474813b4baadf4831bf949f9
SSDEEP

24576:X4Ze+gp1yI/aLxE5HY9qzZyQ9HHgefs+LbeFgEC/fGKhQ8mI5EKq:7G1E5HGqzMCg3geEXGk+K

Score

10^/10

blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

Executes dropped EXE 22 IoCs

pid	Process
1288	alg.exe
1196	DiagnosticsHub.StandardCollector.Service.exe
1876	fxssvc.exe
4140	elevation_service.exe
3800	elevation_service.exe
2620	maintenanceservice.exe
3084	msdtc.exe
3744	OSE.EXE
2780	PerceptionSimulationService.exe
3012	perfhost.exe
5052	locator.exe
4548	SensorDataService.exe
1484	snmptrap.exe
4420	spectrum.exe
3476	ssh-agent.exe
4924	TieringEngineService.exe
4168	AgentService.exe
2120	vds.exe
4880	vssvc.exe
1700	wbengine.exe
4972	WmiApSrv.exe
3332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\alg.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\vds.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\65744947c0346ca3.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 3020	4260	PI-12042023-02.exe	89
PID 3020 set thread context of 3780	3020	PI-12042023-02.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	PI-12042023-02.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	PI-12042023-02.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	PI-12042023-02.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	PI-12042023-02.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PI-12042023-02.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000163b0a2d3e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac98c3333e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078c321303e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000529696303e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca8864303e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e9ad4303e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a10e0b0c3e8ad901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000032c4e313e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007563e4313e8ad901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe
3020	PI-12042023-02.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3020	PI-12042023-02.exe
Token: SeAuditPrivilege	1876	fxssvc.exe
Token: SeRestorePrivilege	4924	TieringEngineService.exe
Token: SeManageVolumePrivilege	4924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4168	AgentService.exe
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe
Token: SeBackupPrivilege	1700	wbengine.exe
Token: SeRestorePrivilege	1700	wbengine.exe
Token: SeSecurityPrivilege	1700	wbengine.exe
Token: 33	3332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeDebugPrivilege	3020	PI-12042023-02.exe
Token: SeDebugPrivilege	3020	PI-12042023-02.exe
Token: SeDebugPrivilege	3020	PI-12042023-02.exe
Token: SeDebugPrivilege	3020	PI-12042023-02.exe
Token: SeDebugPrivilege	3020	PI-12042023-02.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3020	PI-12042023-02.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 4260 wrote to memory of 3020	4260	PI-12042023-02.exe	89
PID 3020 wrote to memory of 3780	3020	PI-12042023-02.exe	116
PID 3020 wrote to memory of 3780	3020	PI-12042023-02.exe	116
PID 3020 wrote to memory of 3780	3020	PI-12042023-02.exe	116
PID 3020 wrote to memory of 3780	3020	PI-12042023-02.exe	116
PID 3020 wrote to memory of 3780	3020	PI-12042023-02.exe	116
PID 3332 wrote to memory of 3536	3332	SearchIndexer.exe	117
PID 3332 wrote to memory of 3536	3332	SearchIndexer.exe	117
PID 3332 wrote to memory of 4176	3332	SearchIndexer.exe	118
PID 3332 wrote to memory of 4176	3332	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
"C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe
  "C:\Users\Admin\AppData\Local\Temp\PI-12042023-02.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:3780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2784

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3800

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4420

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7173fbd502093a8ad34281df03b0cd05

SHA1
feab000457a1855115a14f4f435c54fd7eef20c2

SHA256
e148d6c31a8c37592c5df9a56cf619ac5e2557958cbe6f04f57d0aa1531c8d5d

SHA512
ba1e941d7b56467bf8ca6e6a61e5640f9d4ae157ce1e35c38224c78f306984fcf7cd3c58783fa9c4c0d09c62f8e52a086d9d92535abe8179711ca6bdebb08f00

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9a0668d8c61eaf7be9370c72e04734c5

SHA1
3778e8af54122933330c4df37902dd285c319cb4

SHA256
352eb50d8db6af40b7f08d70ce82c9a9efdbab5326e990b3dfa441a7d5ed3907

SHA512
0d2c81fd1f9fb24d1c49be7bc35765800a41666089fc3b78af9362921788ea470edf72ffcb7311116b897129c7ca8fc7b343ea329df86ebed368846165f56c28

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9a0668d8c61eaf7be9370c72e04734c5

SHA1
3778e8af54122933330c4df37902dd285c319cb4

SHA256
352eb50d8db6af40b7f08d70ce82c9a9efdbab5326e990b3dfa441a7d5ed3907

SHA512
0d2c81fd1f9fb24d1c49be7bc35765800a41666089fc3b78af9362921788ea470edf72ffcb7311116b897129c7ca8fc7b343ea329df86ebed368846165f56c28

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
7843ee9cc47b62b72f106d4047d98eab

SHA1
537b0f17bca89d23ee348f819808746f7dc1f128

SHA256
84df7ea961af9ac1f70b8fbbece4bc8ae649c3c9bfd3cc547bb9bb3e70c790dc

SHA512
1b22fbe5470dab447e2b71e49acf18ff20cad6031eae2563258c717223b4edb3a310aeaa11d847cf40e4e539ae799260234f51d0d87e99d5fdb65572a3f0c97f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
b34475e9193b9abe8faba5c04895e472

SHA1
146732179640c7de4eb2d4d73656e0267798cf27

SHA256
6a5a29273f84eb8b1c9b2892518b999ca87f99ece4bbefc1f9d75e0750237a45

SHA512
5801a1071065b8ab5860917ee75ecde0d5cd16ae0db9ff91b8abfc226a14c5101c7bc8e48c4aa5544ed5f09a1dc8f44da7df3a5cfb38333151cf7c2bdc9e9a2d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
a8edfb4631c00df1e80c443d31cf4b47

SHA1
fefe980e17464ec189902e10261caec178c615e8

SHA256
a7b44c4e69340bf271f0257ef8ac2181db271a194959fac5a91b1bf4a8580f2a

SHA512
3f90c43e38ddb2abb4a4ba749772d6099adc43156144710d4953bcb8e23e8ac53a4c3eb72d85d7471d44b50679a6a61baf4c49f6581caa107e3cf73f298aed56

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
63bdb0f9f5d05001d138784397cf72a8

SHA1
2f826249b0c9df39d14bf37049e40a188d86d75a

SHA256
1ee1ff7b87b1a4d35f5fe3e7b38db997b92c43ec7309858646f5ffa5a7ff31ad

SHA512
ec1dd685498d5a6d6d97dacbd6284a0c6da97d5b107320a0a3b166fe0f9b5778087ae8c80dfa9a54d7a4803e9f76d33207180de64fa65cc47962ec7dc96ff312

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a719749e6497da297fa7f5f1be2c976e

SHA1
d0d4d811350bad6967bb3c78087205e4f01f3759

SHA256
10d879781784769e2a19a1babbb9d16e5ad82381302d26dcdbd7fb91da07d743

SHA512
9fcd70853f24e12bafe48f3be25f4a7b256382609d505d99d5d115e7d0983fb8c755185421557c790998645f9bbdb01d474d82434b79acc43e540b55381b6e62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
576KB

MD5
ae868cf0db065fd0d49a57d85efcae42

SHA1
323609fee9434e9442a954387ea51c13f8e1e058

SHA256
9f920ecda4792c3f5543c34b11dcf32793bb125c5baa7d3081a3af89fb54452f

SHA512
706c714f7b7de439d1bd8988596cd8f6e59bc50f7276e7beb18ba619674c04414d7f9a15bf814482ef3d1a34ae820eefc7c9d5d6cfaea63e96357a2d8610adbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
640KB

MD5
3c14402ab584dc6213930feeff16f05f

SHA1
a51f6bddec1cc6c1b664bfbc388297120fd84b83

SHA256
e637af718f6f2a444520c04d04385a7709d118ab34bd72b076f9742b56c8fc07

SHA512
957228bf10070a6d1161fbdc8c2f03ab2840d233cc1dcda7d381bc41376678e48265e97860388259b6dd10e0c6b6e698254d24abdc07c7996cff454727d7fd1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
704KB

MD5
f089e403f4fd37dbb7a3f9a77d289d6d

SHA1
09a4141d1120e06cb77055e1f6d0b1900d5a8aef

SHA256
e5013829aaf003dbd2dd219cd7d20d1e0103fa893ed900bc851ed9fd0eae4ce9

SHA512
f9dc133c48fcc439778eacd5c8e93ac1abfcef616b6c674af8cadd3e2f75f336936658cfda4a8ac421e2efb9432a4853b0db40ab2c4811f3f28ebf3f0a206066

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.3MB

MD5
f32dd82d6ab21464ba358603cdecbe2e

SHA1
58de5828440e145733310c4099aaa9f86d164698

SHA256
1d67302e5923d9f5c2a2ddee59c99fbb88333c828b04b4d4228e559393aacbcf

SHA512
fd41e4285a95152e214e19cd6e8e9c106b7f963725e34646235d238897632fad1663ca692e2e25edcad27dd88d5de2182f5a327d57607c2fd661eb236438c1af

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
640KB

MD5
d33d7e3559f0dae38d93b71f235e960a

SHA1
abea03cc3afb232c97fae32a6e1f9a9e962810db

SHA256
62edf2a23a3ce61c8d832f0e55b43daad82cad654f86426a43034f6aea26a71d

SHA512
697dfb45072669354c2fd8a4c785d32211e7679eee49e00b1d96cfcadd17801854340cf8ad08bee01f3c12652b5fb5b264fdde9b26457e9a1e99b1e3bad6ad23

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
50f3f2d5aa3164409ba92b4e5030df19

SHA1
0e7f9ba56512e3bff8466333cc3b67a030317a2f

SHA256
1a6324b37b5b7d0b3c8e56d4057800ef838eaba6603fe92ba90e6e690fa593fd

SHA512
7966536c84cfeb97774da23406cb554c3cca679654b68de17f345392ccd602891b03f2a645f4c6e1a35a2943613c73974d49e699533f2983cbb6292d99047e31

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
512KB

MD5
14be6d9a3567c341d93eb296e7cbb53c

SHA1
664e9627493f92b374167160a2305d4a0809bd5f

SHA256
665777f90dcf7cc683201c2d36ce54a885b92503235ceddc9b1d08d244a8e716

SHA512
4b9f7f728f3fdd63f0d2f4cf0174249521c38f905a5cb76dbeb01004605fd73bfee27c554f28689ffcc7beda5e96cee299443e570103954ff896e2f1ba65f207

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
448KB

MD5
ddfd671a514b9768ea540ea5baa25b5c

SHA1
aeb5e931a143f02008a951665dc9a3da028c99b9

SHA256
c5664997e0cbc15e5c0fcae9ab446684316277505ee6bb465ca797c7dc3a5a73

SHA512
d795cbef1d2955cd487383d83bb9056e89e2ef873682a297e0c5073b43eb3501d5ea31c49e8143b5934ebbf6745caa9af9265109b44e628c2370b179fb81aa23

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
448KB

MD5
d7b853eedfcb0fb30cebc8336ee1b0d2

SHA1
c8be07bacacdaa0975ab95cc0807d66233ff348b

SHA256
80b34c01b8e23af3c8aad593aeb3d39c9fb9464d9f0271a802891a924c5364e8

SHA512
8bf9e2471b55066104f3ab0b0738d9c82b03b197bc5baa98ac625cc65888287736ef069ba0323a56b9b01420f421b7aa0ef34e20c7c383648718e0cd8bd22eb3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
576KB

MD5
ff40f28f36a541e23656936f9789c95a

SHA1
0e0cc97a801ef73ed037c6efaec7c9645eca831d

SHA256
403c9fc4c9223a83df0a8805f9f921eec806c58f149d15e68559bfa30d1fd0ff

SHA512
011a2ae268397fdf96d8b2de7eef258fb88e01d710a5c74c140029fbba3254db1ea02b628c1d8d4eadd3ff3af7b212fc211c1e41b41bae937c6fd0ca8cce0dd2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b8e90adf35967419977a9403150f43e2

SHA1
1f9680aa1be251aa267c196a958eaaaa96b3ee49

SHA256
350b5d1cc9d72cf1bd0b1553dc2c096caf1728333a7f6084e40b79b7a39b1b5c

SHA512
086f56bf2a4e6453dc865423add158a95759d8c4e80adbad663388ee0341a5e60438a437bd9a6f3fc30a519683ac0685775901a53d97ff86fdf42ab79a999745

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
640KB

MD5
2c4a2e20a319ee37af96529b43184320

SHA1
940d5c2fe9c22b61ec01fef9251cf0fc0a2df125

SHA256
bba25af225679628dc722930664201b076858b437014fc73e1741120455f39f3

SHA512
21b783b0f76cc5abac6a0786c3e780e693c970eb33514f5f4f7a8505f56e74034108bac2bd6098bca95de9c68d95bc24fa83ae4db2b4617d895059bb1ee14304

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
576KB

MD5
e19e7d9fd5a6a403a1ee0477fe326233

SHA1
96ae0aa349a373348de2534577ea682788bf646d

SHA256
1acc582541f7ed572de5180a56644915592f945878fc7b45845a31a28c9c1f90

SHA512
7d9968cc602ce34727c8e62b382ceb0f591b5210303c841239ea9adb57f79e457b4881eb19050230ad391d54403732f22bdde015b25421f0ea96e6b81e6a5e49

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
448KB

MD5
427018f9463c1b3d00dd8833630ce8f8

SHA1
7a698bc2d22ec84eab3fd58f52c3f2a74580fd1f

SHA256
25f7f24c7b5c374173be1f7499d7d52cc8fd535ef46f1d32dc5bb81453c6e163

SHA512
09cc328ed1dea89ce1e741fca39e729fe57b7b1204cfc64d061a6dce52407a703af1a048677d538500f1c8a096d849b01d01256f2eb2b36cb291fb2349b2c14d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
448KB

MD5
e50241b0089cbe58b47db4b9d266ce38

SHA1
9f729d1f3ec311cd6df818bb33e08a73aec77256

SHA256
b693f60ca5f2571551fe80b90833801a3fd5b4e1417c21d8360cb05049740277

SHA512
0e3429fbab43b8dad1622c9f171bdd1b4f19009362ab9a05c6e6193b1b1c4a7e3d22cdf306a171bf926027b38cb16f0faa84f375e39c8fcd1b7e497cb6a940fe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ef7f55060eab4f3fb9b9edbd4bc5b9c5

SHA1
0b24076145b3d73e6220689dab03b6c244560f15

SHA256
8765318c1f57c27c73fee05a319853cb6221ed41e0d331b55b8bb06366156bac

SHA512
7d42896c352001fe2c8c7a0562ef52658d6df9cbecd34e83bcd61dbcc9d8bc96e38c97b66fb4d016d8d62db3314f171ec8d186c992055c62d14d077bad3caecc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
789388d5cb5b1b6184416e2c2e4c13e0

SHA1
3b574a2720f956bcee4039242a36d42dd238b78d

SHA256
a8f746ede497ac983a4d0c6255dd69d8904dd407479861d18e19c5625f85624d

SHA512
fa9518b9ff13b413fa4c53405d54b1e499a126a52686039db84bd9c9bfb5449d81ffa33145e7b25bdf641869330ae15df7cbf2f53f30d0b5053a8ffe0c57d435

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
19ea7fc219f588764acbbee9803784d8

SHA1
7b1b27868fde3d7dc9af90015c25def86b2322de

SHA256
25ef6e1ce27dd12fb5b2717f2a1a485172b6c4cb3d46657945b0300f977218ce

SHA512
bcd0de1dbe4356f967578343b6dc3e106d8cc055b2e7262988aa133984b8dd708808281c8d2e1a4aac37698510d705110056125ffedc480f3b5149928f3bb527

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3d44533169b9cf4bb6282e738e51541d

SHA1
5ee07dc9b39331cf8eaf1038ab087a6c9de6b951

SHA256
0f80f87f9ec42d41754c119980672a20c25b5684a8124c0984a2407700f77d2f

SHA512
8c60b0fed744721515f236151b5dc3cc8ebfbdcbe2cacac3d0755171e72d23ef21990be0c298b69f8c0db0996fed720d1a547128e6bbe22c88b0e14b8c998699

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8fb98a8c95bfda7119dfdeb9c8861614

SHA1
f12e063f58ceab594238f0d7fcad67f8cc32cff7

SHA256
11149092e99b5566f0ad32c1d4dba8d3afc82ee1ad221b36cff270fe0e2f686c

SHA512
a8a2a6b1f9541eea632ba9e5e050c9c3eee2b9fc600d95cc6a0b6a8f70b97336bd69a8586af88f5dd7eb5caa205576fee7584e028db5cf60d48dcc6bdb2c79ba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
13152c34ee4e614ec04e3dacf7ff2061

SHA1
bf4275bbeb026acb9a28226dae4bf488600e865b

SHA256
15d5939631cac9750f7948c443d8685eda7cd6eeaf6c8677868fcb7366d285d3

SHA512
898b29f80d46b9361b6c429fada017c4fdf02901af989f4fb7cf281e448ed48b24cc97dccf77b5eee053332144e693211fb29e790d5fb726af72ffc49c9ff838

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
6f8e212b9e5e8e6acde36d14434d23af

SHA1
e1727a443496ae5994570028489ad31bdf30963a

SHA256
f431538601e0e3a22e61d0f22f041137fc70188821052947ec3a10ee0fdab82a

SHA512
7006e3a81b012229a8558fa140ffe98336798e7644801bc1c13195c1d29ff81b306e9a46962994c8fcff7ca055c58e3ed46e1f98053c8c309db7deaeed744aed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
6f8e212b9e5e8e6acde36d14434d23af

SHA1
e1727a443496ae5994570028489ad31bdf30963a

SHA256
f431538601e0e3a22e61d0f22f041137fc70188821052947ec3a10ee0fdab82a

SHA512
7006e3a81b012229a8558fa140ffe98336798e7644801bc1c13195c1d29ff81b306e9a46962994c8fcff7ca055c58e3ed46e1f98053c8c309db7deaeed744aed

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0770291065463644c32774da695da078

SHA1
04e692aaa652de0a0d650fc00c4abc68e0c85e7d

SHA256
6539d2236c45a22ea7d18245094e4b1a9c75babb801686617b5ec7499ce78d78

SHA512
46f6532af6c03f9297fd2d6d7e590c1c258a9ffe1430e4aa0f4e0478f7b6ca1aa500e5451d9e14a5349b46766571fd4c54fba2c1e8a52d851e2b1dfbfee5f22b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1ea3bcfd9e0da2c60046e5b65d61ceb0

SHA1
48230d0fd999dcd15914bd23232350390d849916

SHA256
0829409257cef37494fb5056ac06f13c4e884dd4037d5379adeb9dab79a8c3fe

SHA512
5d683137d0126aa9bf269c618d9ec2f44745b07bf4fbdbf48338e8837acbb1e235c303e62e1a6f1b8caa7f0679a3569ee6d3f984014d98c4c69d79389b40e6e3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
77b6ed742d17540ea8e0f91612907528

SHA1
56e07ac0c5e47485588a3f5590ade81bd8b31016

SHA256
877e12f9bdcf007ed17414373522ba29b42ed773b4564c8affb73257fd2ca99b

SHA512
150dd12171efe24388a20492c934dde0529e64471dcd0768eb9816243b6bde54efc56b9cbb094461f23e0ff1171b7568503450fbef770b0f1be4c9ae41b93574

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
77b6ed742d17540ea8e0f91612907528

SHA1
56e07ac0c5e47485588a3f5590ade81bd8b31016

SHA256
877e12f9bdcf007ed17414373522ba29b42ed773b4564c8affb73257fd2ca99b

SHA512
150dd12171efe24388a20492c934dde0529e64471dcd0768eb9816243b6bde54efc56b9cbb094461f23e0ff1171b7568503450fbef770b0f1be4c9ae41b93574

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
30882a5504a4c904f10d0a9f26a4091d

SHA1
b5ba66ddf63b6c7bf7e0aaf53550bccc4cd9ce30

SHA256
8a8f778e80c4d8389850d84a3442f99753a92c95fdcf392c72dd409ef068830b

SHA512
54030ea8a36050dd15ac045d63601dcdc7a912fc5754979c959d7402e6e500dc1162017803182e04345985574ffdf2af2c31c2a5ed96160be903adcb72d4b5da

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ad5643a7b69012613edf32d2539a3397

SHA1
8ccab5c3e1558072f2d17c6b769f2d7d04c91a77

SHA256
7a8b99b4949036cb0725dcf3d7a5e95b81b58436180319a3333b2083849ec63f

SHA512
79d7e79a10df0658a33eaacb173bad6c6f58ed3228ad5e2a42ffce7223b82c4d805e15bf8d2a598c0680608f2450c279f237c9fde4c84889111a88b2e73d7c5a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69c216fe9f446e9a8ce64f066e66ba60

SHA1
c191ee8700cafa3ab310f9b5761e3aac9591f15f

SHA256
e22149b7abdfe6846e0beba42f96b1f9b231cc471e84e5b3a8bd2acbfcf8476c

SHA512
95a6cd8552fde75d61a6fa772217e3585e35eee73dddc5e27938ece6980810169ff77ef5c28a9290e985e943469bfd10abdfc8e7cfa3e7b4d4a657aa7d9aff6b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9cc5b5d264b0e49cde2a0e36079a7bf3

SHA1
791db8560efb8e3c99218a36422fe83ccca03286

SHA256
3ef96824c62891638c24ee464572a6aa92c61392c880075ab88b9a9e33fbdc6d

SHA512
c9e81a11b4b4f8dd3e3ab984d6e59d1f79067989ce541e220999c9c1dd11b756f6dc50f786f1beed1c141ac8c14764d2e72746c2e359a9761f3e9caa9ddd5820

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
de4567c5ff0c20567de8e65a69e033da

SHA1
0e05d87ee0d831fe1ab779ba25cb2006d41381c9

SHA256
cd8a20c3a490981c75e28adeb9a31ca0ceafbaa4b09d556c44dd6e1dd3dc1cd4

SHA512
ffb6dee3d07f7f05deba19c6caf7ca9062efebe171e6a76e9e8c029d5b0f91d1ce4308456ebb225e7e8abb6183a0490878caf58387a34ae1a991197162f19cd4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
391101d9c0790f3bfe061c807593b754

SHA1
927fc00da13289530a951ef2f59691fe7dc74dc6

SHA256
500092a341e64efa50cc85f9ffe382dfd7bf845c4d389527a343d74438df4420

SHA512
72a4505b17b104a87c7174d0b7697cf0c5072f2965071ab6215f9ccdf22cfe50a1077e4b1654dc75d2d55dfe327619d0bf3773b1395915aed64b992586906caa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
658d6c0395a2fb21c09ad1696223c08a

SHA1
b7e08b6db0c7ec2916299d280f13ba7aba1337d6

SHA256
d9555f0fe01bc9398d3035deff7ea8d8654a65b813a7d907eb209bdf69f461d9

SHA512
dad279a29cc31a3b6f19e7ac8c65211a063b52734b491819a04ecda9ee5be647e56a3bb29e0e87b1bee79018e421045efa1f0608dc5b88d262e41e92634bd5c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3dcd1163c0985c36fb5855baf4887eb8

SHA1
2d8d2101f6d36964d74a446d680a620be8aa228a

SHA256
9c356794e1811f6d32b165b6ccf121d43e512b4c8f5f669d5993f3e0d018f397

SHA512
db3dc77dbc471efecb31079c390e98b58cf4f38d0e92787cc307f47deb4edd009911e3540f307fe78dd323552c42fa8a1fef5e09ae518e7b64de019e8615b716

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
02c8b45ca4146b509a04cf81770eaea2

SHA1
0daccf35252016a22276083ac60093ac37b38881

SHA256
a8613084d3fa301ffdf3b69263a62e21b717ad37b0a2410883fad48fbc6314fe

SHA512
fe6f6e8f0c916e0554608917a5587fbae139850daaa64a462ffd731d9e58639bec722d106f5bc466b6f86319381d90916e1196eb8d461bc453ed1f3a982e091d

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
19ea7fc219f588764acbbee9803784d8

SHA1
7b1b27868fde3d7dc9af90015c25def86b2322de

SHA256
25ef6e1ce27dd12fb5b2717f2a1a485172b6c4cb3d46657945b0300f977218ce

SHA512
bcd0de1dbe4356f967578343b6dc3e106d8cc055b2e7262988aa133984b8dd708808281c8d2e1a4aac37698510d705110056125ffedc480f3b5149928f3bb527

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1f3b816145a8978472fae718ca1ac9d2

SHA1
8e8d837a8a7c890276f20d6c54a5f1a2529fa1a7

SHA256
c0184fe9a1870f3d7976786ce266f96d09fe7b1263958793c4d21590cea7406b

SHA512
8d881fd6d3086b173706e96079597ea97c0be0db032f2a63aa5bbb5309c12c1771334e72634f30c56be31475789b199e99248d309b0895c16294651b053a262e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0b4c42fd81bf824aa1f5dcb9d488c7f1

SHA1
fc2598b15c6fbeb99f1a0950c6b6a08c05f6efb8

SHA256
b3453927349facfa763382ce74fd667aee627215a9c08054995d2a93472f918e

SHA512
c99c020a55e5782ca17841436597b6846769c9f7da7fec59d446b5f68cfc507496755c5bc38d53f1162e5d6e8c89b0a070e884524345460932724ba620f75ff7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8fb98a8c95bfda7119dfdeb9c8861614

SHA1
f12e063f58ceab594238f0d7fcad67f8cc32cff7

SHA256
11149092e99b5566f0ad32c1d4dba8d3afc82ee1ad221b36cff270fe0e2f686c

SHA512
a8a2a6b1f9541eea632ba9e5e050c9c3eee2b9fc600d95cc6a0b6a8f70b97336bd69a8586af88f5dd7eb5caa205576fee7584e028db5cf60d48dcc6bdb2c79ba

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
66d7f933de10c195794907902f8b485c

SHA1
162a8023408470f58b873d417b1c4862c3e587ec

SHA256
b062a77cfedb1a35e0b8009f8bd83d1f723197c79d389962a3169cd8f972cf14

SHA512
8194cffa10bcf88957a0ef24b9e0dcd7ec9656c808c446b7215791816972501766049b10b42eaccc2e17969430c2234949250aed5f8d5cac7da301e67dfb64c8

Download Submit
C:\odt\office2016setup.exe

Filesize
1.9MB

MD5
530dc7a6ea79458532ed74185e8b9583

SHA1
1675f70d1bbacfce27cba88c31c4f6212a65c0d6

SHA256
d8ac7dbd836c0cb0bd851e7c81f8fe8e69279c348eb5bb347dc92a10647b311f

SHA512
7cdbc4d9f7c83517f2f510a591dd29c5e9572a213ffd1ba8e3bd872ba2089b4251fbf063d7f851c0a5ac29a8e1fd33f63ec94fb68c248fc3966c3463439c60e6

Download Submit
memory/1196-170-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1196-179-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1196-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1288-156-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1288-367-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1288-162-0x00000000004A0000-0x0000000000500000-memory.dmp

Filesize
384KB

Download
memory/1288-168-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1484-308-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1484-558-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1700-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1700-387-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1876-181-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1876-187-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1876-198-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1876-201-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/1876-204-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2120-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2120-368-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2620-217-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/2620-223-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/2620-229-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2620-226-0x0000000001A10000-0x0000000001A70000-memory.dmp

Filesize
384KB

Download
memory/2780-265-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2780-495-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3012-284-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3020-149-0x0000000002A30000-0x0000000002A96000-memory.dmp

Filesize
408KB

Download
memory/3020-140-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3020-143-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3020-167-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/3020-144-0x0000000002A30000-0x0000000002A96000-memory.dmp

Filesize
408KB

Download
memory/3084-471-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3084-231-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3084-237-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3332-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-412-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3476-327-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3476-582-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3744-263-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3780-437-0x0000000000420000-0x0000000000486000-memory.dmp

Filesize
408KB

Download
memory/3800-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3800-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3800-206-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3800-408-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-200-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4140-197-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4140-191-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/4140-406-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4168-357-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4176-748-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-657-0x0000020605C70000-0x0000020605C71000-memory.dmp

Filesize
4KB

Download
memory/4176-747-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-656-0x0000020605C50000-0x0000020605C60000-memory.dmp

Filesize
64KB

Download
memory/4176-749-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-750-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-767-0x0000020607ED0000-0x0000020607EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-768-0x0000020607ED0000-0x0000020607EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-745-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-746-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-744-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-743-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-742-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-741-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-666-0x0000020605ED0000-0x0000020605EE0000-memory.dmp

Filesize
64KB

Download
memory/4176-659-0x0000020605C90000-0x0000020605CA0000-memory.dmp

Filesize
64KB

Download
memory/4176-658-0x0000020605C90000-0x0000020605CA0000-memory.dmp

Filesize
64KB

Download
memory/4260-139-0x0000000008680000-0x000000000871C000-memory.dmp

Filesize
624KB

Download
memory/4260-133-0x0000000000450000-0x00000000005C4000-memory.dmp

Filesize
1.5MB

Download
memory/4260-134-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/4260-135-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/4260-136-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/4260-137-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4260-138-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4420-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4420-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4548-305-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4880-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4880-385-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4924-344-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4972-411-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4972-624-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5052-534-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5052-286-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download