daef5e0310593c129e26b9987fe17aa335387005d521537b3e20af3916d18ccf

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exe
Size

1.3MB
MD5

ca6abe075e5150e59ceb20b2487c5c35
SHA1

83dd22d46ab21629384c7aeddcc97d8de1a2a04d
SHA256

daef5e0310593c129e26b9987fe17aa335387005d521537b3e20af3916d18ccf
SHA512

44be957a668ce5367f793eeec713424db4a63f67007fc76567360ec9c5da70d88d07680623f799329c31856c6eb2fc8cd47fb2c941d6d81349f0301499617073
SSDEEP

24576:t2zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbged24+mIJz5IcuMlQHJxrDiSi:tPtjtQiIhUyQd1SkFd2isGcnlQHPxi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
396	alg.exe
5004	elevation_service.exe
3604	elevation_service.exe
4740	maintenanceservice.exe
664	OSE.EXE
992	DiagnosticsHub.StandardCollector.Service.exe
3508	fxssvc.exe
3156	msdtc.exe
3680	PerceptionSimulationService.exe
4320	perfhost.exe
956	locator.exe
1064	SensorDataService.exe
3612	snmptrap.exe
4900	spectrum.exe
5024	ssh-agent.exe
3620	TieringEngineService.exe
2160	AgentService.exe
4360	vds.exe
1492	vssvc.exe
840	wbengine.exe
2568	WmiApSrv.exe
3972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3760d6f4ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000511c47325499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d426d325499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af915c325499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000869eeb325499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d003b0325499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fe06a325499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c8f9a325499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088fc4a335499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0a46f325499da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe
5004	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3704	2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exe
Token: SeDebugPrivilege	396	alg.exe
Token: SeDebugPrivilege	396	alg.exe
Token: SeDebugPrivilege	396	alg.exe
Token: SeTakeOwnershipPrivilege	5004	elevation_service.exe
Token: SeAuditPrivilege	3508	fxssvc.exe
Token: SeRestorePrivilege	3620	TieringEngineService.exe
Token: SeManageVolumePrivilege	3620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2160	AgentService.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	840	wbengine.exe
Token: SeRestorePrivilege	840	wbengine.exe
Token: SeSecurityPrivilege	840	wbengine.exe
Token: 33	3972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3972	SearchIndexer.exe
Token: SeDebugPrivilege	5004	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3972 wrote to memory of 4416	3972	SearchIndexer.exe	SearchProtocolHost.exe
PID 3972 wrote to memory of 4416	3972	SearchIndexer.exe	SearchProtocolHost.exe
PID 3972 wrote to memory of 2560	3972	SearchIndexer.exe	SearchFilterHost.exe
PID 3972 wrote to memory of 2560	3972	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_ca6abe075e5150e59ceb20b2487c5c35_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4416

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7d3e76ca82df5e3e8910f941764eb1e5

SHA1
61e2dafa33aa5ab202fe2d5411f964818e9f4b64

SHA256
2d5380074e357f78519bfc1a491193cbaf2b94f676a4452540d516c9fc3ef3b0

SHA512
552136f8e087cc6c68fdddddfe8a4d752a8c6b9fa025c2f1787eef7657338ff5e6df16cd08485f452290b0ef6c5f474a9337c0ef021978615d74b05b387200e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
980d44df7d3b073d3844bfaa00ae4ab5

SHA1
7cbaf6c49f2b34b338dc54390f94c3c139b70da1

SHA256
41ec5a8055b320610b3b1d9df14c28a58f7116809f7a7121b9646795610b16d7

SHA512
7d892d61b27de26e3f03f40ae42179f7323383dad15ea52585a34df4270ffa2ecf680408e398b7c20008bdbf8d804483e42c94dbad7e10840d92d4fe7991a5e7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ac534e6193b530c220120d7813324231

SHA1
eff7f009babb2415067ec35127dac64d928aa060

SHA256
6d7983dc1d2e8aaaae7c11279b6143fa2069abbc66b8d1cbced0e08b10d836e6

SHA512
e0e37d8cf01e0145b5b9a5ab831e543bb3891b751c4ab853934beaa53666b10dd5f935a092c76c98ac5d48246cfbe1d47e1729629155f51d47a3a5e1b10161fb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6a6cd0b87e4ec37a776c499618b4e43a

SHA1
89d78067b9fb95a83268a64ca26ab94ab0d3f3fb

SHA256
e961311f2a495ad5de93a74f61b10c98ce3e6cbd8cd5466606f71a96e6312565

SHA512
5482765e854575760cffe9c6630eb59763390649c877f155b29a4fb6b80be23894a4d261500ef1f1580bf40a01b600ab0bbd8bcbd6ab4a63c9d1a1a09b1d239e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7a817bede2092da53399c8ad8f54f66f

SHA1
3c834ca89f58895812c3e019c961e23b1f58d6cc

SHA256
0b04af95a8eec231205612069323126963ba1be7bba6f85a2a09083ec307f83d

SHA512
41d4fea89b356b847a16bfb5bbdb3a32c49a10c0189d06860f65c3033c08b0a7ce66c34f54caf4289ea949717c80053b9db1bdef72f275820a8b740e63f5ac92

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
134036e176762c7ce1799ea5b4c15869

SHA1
222634fda4aae71320f4ee23284546474e4bb6cf

SHA256
4fd991e7a4a153e7118c17c6100cb6bfcb9e2ff29a5c0b45aec494808036b0f9

SHA512
68022b5b923e8bde61ead127ffd926fa8354ec5e4f7437c8e6835c8b783297300549172476788cc870a1e034516d33bacb3009094973a517f4076d24724b1195

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
07bff6b66b653e660dccfc01b116d737

SHA1
497527e7ea488ae0776ebaf95d317beedd99bbac

SHA256
1db81a5c003034c8a069cf80852ff6e9e9041576d5a9a1672818a33ff510707a

SHA512
5d5517879acafe6950e77d1c319c580e2de456642a18de2072be0a69e2aebf2611b558a406c404f39c21abe44276288213ddf937eb12d992bb750f6a5b7bd69b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7a84821f36c3a3152a1e8b6f47ca916a

SHA1
669cc4e02df83aa93182965e78101ae9b0e670de

SHA256
b6256483851c30227d0f84d1e72fa036e2a23787b32c2673a1d71b1696f99107

SHA512
a8fb6a7ef86005c8cade361f89b8ef4d314d4c6dfaa4cf6078a5bc916e33a475bf706da3a075ba6a9672ce486d0e816f4ffcb0cfbe65bea9b524af1f527d42be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9dd7025eda33dbbfcf227f45ca945c0a

SHA1
56ab19cbe4bbdf4ea6a3a12f9bb12ac9fb71715e

SHA256
7649ac02044c349c6dc14010cf3cacf9296a097c351b8b2f64ac539c3f805034

SHA512
333c6470a26f1fd394106f17b78490e7a4b7441c9688cfe72176f1b7090113ce549ad7610b33e945dd2e36a6245bebc3bb724de3f83fa2701ab1ca69423adf6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6f1cef75d8ef6c238ffbdd2821898baa

SHA1
66335300b91bb07e31569abb50fa6b389664d1b4

SHA256
4a62b8e293db05b74fffdfb2dca16f7a21c4320a508439018a8c1f8d976dd488

SHA512
6519e367b413fcf492c8d95fe438ef554b8d1b2eec33843a182ae11f225ca06f8225fbda4735081e1c7300944776a6a74fac4ce8496e871a04d56ec59564bef6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9380334c81d2376eb026fce53bbd402e

SHA1
d0bab2fe2c2c335bd0812f1a82f9f656d213e817

SHA256
8c6a01b019d99637f7fec91448da59a490481d7ce0de84c5e2db673ab0a5beca

SHA512
f125c33ea3a138ca186de38a935c4c00bce0817743119186512c43641434df7c1a087520a70fed48a3a48c9ad25b51cbfa59653b0e5e46514c2988b55c07ab45

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b3444950c719d471fa639f8c80df6782

SHA1
c1ba9e04caf914d00aad78674f3020929096ee48

SHA256
452979286d2ca46d63ef0463864740c2fba7945c647bf173442f83a2595a41ea

SHA512
e52e092da523cd335887cb8e4f8a0d408af32d8dcf21543e72760c51a041b5ac5b92b4f191d988fe3161df09e490673ffbca2b7af952859bdc896c348b3a1c70

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
ad0332b6d5644e0214e4453c965d17d5

SHA1
3255b0b9d95e1afb1d9faed296ffb7ea151c0bcd

SHA256
6471c1f68fd901ce19ea2b80ebae26540f6754d9d75230adde054065ad176ae9

SHA512
6315bc3f32a37401336ae8408ace01deeffe1dc1785c7b528a9c43aa9bed32247eadeb83e8a0ae63231814c3e8c4e0fb2e7b0f160a8a163bc894060e7ff548a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7ee6b2b7689b9c19c0c260d9e135f46b

SHA1
37f3ea2165abd3e61b583797293be3cd1ad7df98

SHA256
3322b5aebaa8a2ed6cf97ea12a3a5d12dca8581eb2c2d821faf8e06ecde093fb

SHA512
ae9ef65273362f2f61438cb6e06a736ce7edc7ccedae362a9e325f025c26683ac0a3d71de60080422cf5e9286a8a3cf3d4be6d7c88e0e93959664b29e509cf07

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
af28124ef9e659d7af877899db65c75b

SHA1
06b6e71f7a531d7ac73df5eac73a376f03ffb284

SHA256
e6269aa17e906f139f6a720d9a794e72758975d67417a16b9941ee6566908f60

SHA512
d235b9309c1c1b6ad9ccc96dcaf8e6480ef5808c4faff3d1defc2cfaa159de525e806fda8d53d4ed2cdfba8f248c0e0effc05a1dd7d623e86ee141e1aa3516ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
a7493e09823890e4a78b8e21700d41ca

SHA1
f986400cb46564164e441bf39d4beddec50a44d2

SHA256
1d1b936cf7b6e5edc7e0f1ff0c95fc0ba72d6873da32e025a99957e2e195057c

SHA512
ef08a761728549a24f62565482f30ad94fd2d62d09ced2ed738f387f5aab04652eeb01ac79c1453457db1ff74408b29584c4d84285980e4434d6c8c38e813561

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
14fad407b3d84808368ba38616d546fe

SHA1
0cf3d8370be39cf7b1409ebdd6c6a1f01fe6c562

SHA256
30a14ca3d382f210a381406fc6a58c8b9fcf68955f74a4ad1822098418ddee10

SHA512
4349e969f62a3721cf76e15dfea494dd2b2c03198972aa7e3ca71b535321667cfa2a9c2b4b4c0854d7c4a6500594a98f734ad8b123e658ad97e6298f4b2b5304

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
5480cbf239208fd5baecb61c1be39b7f

SHA1
0910c7748678833aee563a353daaf5d152446a66

SHA256
33b46da81b59a5cabf40360cb8878dbcb955689255872616fd0bc74225ecd007

SHA512
437f33da30f24701200e54a8095273f8c96589ff2347270c219d326ffa261b1316d8d9d3df3e3b727aedc7cf92666280ce579da02560e4a4dcd49ae4c138466a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
194b8fe0c0660868a112de6b7ab1c0ef

SHA1
c810caf35213dcd79bbddd491272723b4201a993

SHA256
392f6f446ddde5295bb17ea0fe72ecb07a043b215be4ac7febe71af5a78d83e2

SHA512
b891d8444495148c450db81c6373f43badf99eaccb865297f8716bf2da72a0667193b1891f9c2d639a688f3141e5d51fd68f83f209d6758308500a028d79cb05

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
f6b264a2f6a63a6da71e468509669b95

SHA1
9cc591bb9300a8550847a22c475d25de8b521d1a

SHA256
2556d08f999f01c9f1612616e38151aadc4663e1d59d23a96a22780ee0beac70

SHA512
5cbc194e11a20488da1173d983be65c05e57dc9bfc0ab96ddb69476b305fe31f08d010ade0e8ba2ff0b6667cc492d31aa048d60eadc10626447bab79fa8d9332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
aab82473f039a56a3cc32f0de0b2fe6b

SHA1
c0c82a19bf1b1f3fd6df72a1d291a1b857783394

SHA256
a2276be29f5d618aadc5073b998bffe6d7ddd6aa5784938f38c09d171ae903a2

SHA512
0bdb73451ac7cbee6fb1d9c0490f67b330d68f8b1cb58980f0f1d6fc9db43aba318cd8862cf4f3ed8a95b502996a26d93e8a4e2b7cd2c72d13cf9295898cfb1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
f1a8b603bbafc2fe31b34bfb296b3e26

SHA1
e6f5419e72a2dc2cf5f2cc25a5e51c741be05abf

SHA256
d4a8ad0071e6a674c38743dd6348c938b669b76aab0b86919eb2c1b8b60ae6bf

SHA512
f889a9aeefbfab940f32714e8c666f73e633ed3101c0565587ca746a7ad9423167fb92d72261338cfac3ff5fd0fcbf468836a4bd40d3372d4a305dcfce9cc39a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
4d377d4f248e1286c77580e8e3bb793d

SHA1
d30d656c5e62c5c09e650fbac070fc78dd7dd479

SHA256
1d3f9f7ddc30312873186521ef1b2d4631b5908c01b5e851a67ac4d154bebc74

SHA512
31e2e186ef8fd2b85de533424fa38dbef16d63dddccc80fde39ebb0a2004eab336c457deac7f8cc17587b3c2106f5ed47ce93170899e449f7a64ae7a76011b70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
554d099b22f492ea9400fdd2c6f7e175

SHA1
5685069a44a70a7e5f0f5f75107cba2badfeced8

SHA256
6685260a50f7c38bc2e29d6b593c0cdcc7b93046d39fe55cd5e93b1fa0c72ba2

SHA512
505bd935de3e0246baa517365400f3f30b2c8e37191b61c1c3a211031812d17eca1e5dbc914284c167b278ff921f70c5855eeec49f3c1885ca999b46daff26fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
eae43f583ae3ae757acc122ea676ae7b

SHA1
af4965cfaa45e2ab5c0b453e29c2719c924dc495

SHA256
70c239c7dd960aa551cad0e136473b8686590cc8bf28a300859fc74f5c2a6748

SHA512
eafa99e50b63247bd8a93acde9cfeceb346666de9feaa225a7de3939a25c01c0dc96db3c9747d085136fa72e8abebdcd7810ec36b16546d7b3c672ee33d52e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
932a61925a65a4abc28e89ce13431f73

SHA1
e2047b3cf92c9f3f58b7def39bd3c76f4f5476a1

SHA256
f89ad43256aff105fe0f92291ba9815d0fedac5bdb8568f640e035c07af012ce

SHA512
6586b04b83c7cd018ab48ec5b07aa05bbee8337df82cce346f1d7f45b900d8ebbb4cbcbc97e312718fa5cdb0ea06d777b4cf3116d8117f7ce3af474ce318b7dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3dd42df786d8fffb9c19ffa8c5bf60ed

SHA1
f63cb2e4549cdb0066a71aeb10d64d948fd9a817

SHA256
36292fdc1b565bcc82efea7a79ff070c815187133c2ffd15b9349edb6f4d75d2

SHA512
b900ca913c739e52e3a914c4e3c942c9f9269269fe245229838ac1e1f030a300cb1dbe281ebf5799733037ae08e02ec45db12b28e712590dbd8f47b3fde6697a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
97edd34fda5b4d46c8ca08ee33ad6fb7

SHA1
237abe15dc8812e7e84652ee1a731e7962ae686c

SHA256
32ecab930c1693ea9459fd5e90c5d9674bca0bf4f6b568abe6509f8ba52591c1

SHA512
68d3f098f150c8b60ba99d8a4e8e7bd83a8f29e62875aa6fbd81b72d879e9e2d7d78d35910b41c0f9b408bb45840ff905693755217eb1a50176807264bb1b970

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
59f25e84b6f6cc9a0fab78092b22db4a

SHA1
25bcad9dcc1ca69263da3116c8be9e3924b47de6

SHA256
26a659630c55f0199f4dc1d9b636ad8e33945951a09f032b0ccc815db25ac02b

SHA512
df9156ce2db28646268efa23f9b6f45843a59997d6988da309650061827fad498de3268e56ebe1bc3fca605f778c5320698d718912b632888db775fb1c31d312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
d8ea513fc2592fd2e096316bc5824e4d

SHA1
a6afd03cd43f84bf1b446d140d624e7e208e03d3

SHA256
56a664078c3bc38200c9cc16324c42e675d989da4997711629e24dbc8b73950e

SHA512
0bbb221cfe1af02693f25bd4127e67e0bc6afb4005e63f5d6a7ba98c68ca7ec17848bc1c98e274d836f112124f8dbc929dcc0b0b6606b42e9a0e7e83ccdb1e0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ff3f83f58ca86447d96872096146bcab

SHA1
aa025f589f0e5a9c90b130332fcc22fbed8cedfe

SHA256
8531a97aff8ffa2c9328e0f220b5bdcd9491b39711825b8b623ab319a4b4c492

SHA512
957877109d38dfb9bf254d4d671bab836de532af5a9d0d35f7151e1bcb74dabe6eb58d41e6ce06411c19ab2da295a1c264bdfadf1cf46b4911242d0334982769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b6b14561d0d81c2c5cf527dc601c02df

SHA1
a8303ede5ace4444e24006156b7fb241e3bf5e70

SHA256
8acfebba4980be9178968f69a7d6af75ab700f13b3a99d93b26e901ed7df3f1e

SHA512
7c0306e2ce490281ead5930eff8fa02116fbe0de3020de4495dc690b6cd863ee25b5534f5186e24c7f5fffb89b000bf1a9d1da0ab3b163152e1409612d925c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
5297b5f173682d1068638e06a8524e16

SHA1
3c141ab1b980af1c4f68ab979ae5c26f671e1eda

SHA256
92edec10009bf1b6bd68b8a19a1100ccd6bc7c4f048acc5dd9e09b5c87f63fd7

SHA512
e4e6245cf8609509a000248f07cda7ce8e4feffcbd3c4a3e514bcff974a5efd02c9db6095469cffdf87791f0675dfaa243e0b76afc656bd4d69f2a73c38b87fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c96265420cd29084ea1ada4fdeac9b2f

SHA1
be6bbe36c6747c3cde9808a494c7de23da3b3da1

SHA256
dc1c01cf295aa246c1f473a04268861bf6c66f039b1706345be36142279d95ff

SHA512
880399e690f949afea90d0beb91154a5b4c0f7f8748430956adafa0d05f9f7962be090c0c13e65cf5ea167944098cf73a5d9e6ec2c3be1c2d6aa44f9fd6f30a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
e99fa44c6112181bcd67b8a0d57dd6c3

SHA1
8007db021bf5c40da1dc3ddff88f2254b90d6e95

SHA256
439696fc2bbd6b30b76cdf87b8d9b2e572a5b846f8a5bdd66aeacd38a26c86b9

SHA512
44d73a59e6eb828d33fcdb72adee6ea3637f773b477ad15e4533aa8a88ea65a87fb6339b0d50233623135eb663f31cfa9802d1e5e4e9173fe2571bc9c583bcdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
d0c431f011a4a0fd4635851999ef2a59

SHA1
33586d90d76da2603741723506994b953efbb8a1

SHA256
4645646fdbf1cee3374c5c3c57a0c9f5c26269e39e11253501246cbeb2b5efcd

SHA512
431316805ce0dfc2fbed5b5bc1040394d00a38c2c1705df0f2b81bc1a8b6629fc5c2cc05308f9dc86025ead036716ed3aed5328ca79b9a2f9f8360517fe5b8e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
386befc65ed43d885886c49b7774366b

SHA1
e75117aee131cf04bfa37ebdefd99185a43cd63b

SHA256
2f543f314ef5dab9ce81c44415a980e8440cdf61af64d13f867143df6efc6fb4

SHA512
1dbf75b189338596a8a586400962e2aa6593730546e7994881c7bdc0138b3ecba27706568dd1bd4d23f65c5c135e6a1d7a401febbb50e298956147c250b5ed26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
dc53836d7b55def7be745219909e84df

SHA1
ad5754b86487b34b7785ca3a574d1d21000be7e3

SHA256
11cedfb946e2048df172318fa06fe5b338e0940198c2f8574f80652ad39dbcce

SHA512
11dcc6e3a34c75bc118986635aeb228d3bf30d4e089259c4498a6f710a9e1f2bb00f451b120eb9ec8266d3f176e5b541063edac2b52d000a8e393919d29cbae7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
853530c99458bfb68a87ba4de99ee0c5

SHA1
78c87d96980e718214624f25454d3bde874afb08

SHA256
2623400d5d340089cc59f8c8bf901828056749eb204a10622f77cd9c079a178e

SHA512
cf6501da7cb03e52f326159bc26b9c4aba3d3ed2d8c8594c59571f1bcac6aebd9fc5b4be9ea9f0c6b93e1e3753e2e9229630cbf7b774c5718fed841e48a34fb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
c733d1e864c59c2573fffb0b9d088512

SHA1
d2f87a909e56645a2fcd0361a6118f55c24196a5

SHA256
8fbb17b2ce776c666b7dfd0d1178f848adb550ab63576831a56497c1662f8257

SHA512
ba88c1ca77430c1425a9b885bfb1eb9afbf4ed2e3c592da5295c007d9e5c8e821236d7fce1ff71e53013403fcd8bbae401fb3a853ed496db4a75afcfcdfcc05f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
919834eb11353f493b746de75ee50230

SHA1
174b0e5463d6f1343177ea39103cd427f38ffd97

SHA256
923b280a7a71d8f76d4d7ebcd9d5aa5f110e20ba5ddbbb0657a3f465065ab89c

SHA512
ce914ee81a4dbd0cdc590aeb7c2507a4b852a98c66311fba2d10519cd101e922073b10bb4e1542919326725650bf288b5b29b11c3256db57f36d97c957a9718b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
db2a734acc96365f973a236f6e382392

SHA1
3b8c6bbb7feff608782f3c22016d70423db538c2

SHA256
3c5cdb21274ec4996311ef6b36ad9203d5dcbc417ded1395358f75b0f00271a7

SHA512
c724243a21bf340124374377102e5ec0dd28db9622e970631329d936ea473580befc68a8b1c1422bd4cf427df6f6ab3baee168fcdf37728c429c5787cb147a60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
f969c839af311ab1d255954acac9579d

SHA1
0db2d5bb97b50c8e4db1c1eb01d0150c53aebc2f

SHA256
170f2528e9e0b0f6e09729ac468c69aef6c6b7bbff0057038867dd720b51fcae

SHA512
93ba9919067b687fd56c8d7e9fad857352a15ca6a99b59905535aee886a325a1fd77b8f2cb3e3e93d9c5c39c8672c98b35bdc962ef15bc718cf3eeeede837792

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
5371effd5336c2764a672c585d01cc3d

SHA1
c7b949393d9299e7701bf124daa2dea2cb377221

SHA256
6503618ffdb697333314294b5f5272ff6632d9b6469788c234ce7a82ef4f5330

SHA512
ad4085631bc8c7b4662ebd1cb4039e6e4afb39563b29f554375645b335b371f5a9ccb7aaa0eb21dca69a0b8424ca639984584b1d8699bfd60a917a4b0b32b87e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
f4166a99a0a9cc6796e7397072689b24

SHA1
9f536bfd5ccdc748ad6f2da55c34c03e9e1916a4

SHA256
6e3b02d77d2cbf3c3fb8c0a0a159c4bbb7b54a34d8c1f6305c5b2486b5080dde

SHA512
7e302058012fbd414a02d502a933a2c0a760f7011084142dfed57cc98765c14171d484d34233f05902a3928639a68fbd5597e618e0d5973f2e6351cfbf900bef

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
deebb54b9476416c80736f34a33598a0

SHA1
16c338a1b7b51216a37d585200e1604b4c510f24

SHA256
e30f7ded0a38a1243f3636639d00a9e46083b1fee345c57fe366a2701dbc787f

SHA512
7955e4f19e1b3fc818c370053e5946226339feec6c6cf7027eb089bc22812c27f55fb94ef9a565d585c710107738f941264cbabecbc9a1af1eb2383ac131b3b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
f2f3350bb62152e9e8ff7c8a2c003479

SHA1
7d0e2bcd958212ffaa266f7f28b3867a697158d7

SHA256
2cf342b1752aa1e4a890002fdbceb5eaf10c37b1aeb4a88ca0933d27278c094b

SHA512
e8029dafef7c447829365be9b3dd484936d4d056d9ef74f86f8cc23c9fbdf3164f57282bdc23293ea798659e65b5f071f293b2babdb6f37b67b8970a40cad8d8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
46114d3389aba48da2b52be3f119ee06

SHA1
6d166dce4fd117e3bf0711abca4cc3f16d262756

SHA256
5ff3f53515f98a39e0d11c496e34a10103a06f0073c62325d1665e5f9ff9f32f

SHA512
823cad29886e9f83ec989c51dbf21b3c4b49aa2483a1291d6f5ebeba0f3c02dfdcdbc7c9cc7c156f7315512f1470ae0c2698ad91b1fc85c83f03fe85e7a0df0c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
347f7f28eb9d6c84b87f3d8ef1912333

SHA1
43d0a8bdd0e1163199d9ee84e133a5e6ee7e8201

SHA256
4c35a5b5e7d3a4a15b809fab9f9d9e813eef8a32703266ed2404ad5f7f341938

SHA512
fead4132622144be03335c13fa0435e6b72c646887166590209829e148c96358d98dcb7c6deecd03abe8be9a95bf7c70e24de3cb487ce7fef1f29543d7e87a24

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
074616f28ac50ffc9f585ceccf84118a

SHA1
d18a3e8c5256890cf3f4028182d2548965b9f8eb

SHA256
fdf099c9c13653a19f1490fb79fd8bf8fa81c94b251abfb8c5135b5704f1915f

SHA512
789cd4894d95d51c0e5217c8b1f2d9d30aa8cf4e59da97378b159fb0f2af515a79b156246f664a1da489a3ffa8efe7cb34fc379c8e6a377b2cb53d76dc8200aa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
95631a860ef5b5cefafb1b588c9810c5

SHA1
00e55cf131f7439a0cc99a63a034611544bbe738

SHA256
3faf9b2c3c4362dfd80dc4ac9fec660a1b5de12d8f4a925031201f868b358a26

SHA512
3a8cb28682bc9b7e510a455377cbeb02995f4c143941d0792c63b0b3c7fadb9b524f61f08442361eddcc0974343b11781609e124832f12cf02e050df807e0b7e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
60c7e4126088a4ac528f38da48260770

SHA1
4b64ebf8411b12e5cb396efdaaec270f205aa16b

SHA256
658d89900913eb007efcec261815a1884f38ed7b6159b69296c69dd9ed665d29

SHA512
ce958f86b585937bc82c6d0bc1644fffd658d82f45279210bba73a3cf4bfeef56dc814d3a6ae11d824018bfdc4851786de98db797e7ec98de763d476730aa9da

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3ba9107fb496e2ef26e025fc11d5558d

SHA1
0f7214ee5fce28daeb8eaafad504af54feacb306

SHA256
a19c6d041bdeefffada2b53b454684fcd1c6d4eac98cce77ac9610223a123193

SHA512
c26f61342e74124d1225cb5a5ca669f85cd3601c0274cc3f1fd628e5bcf1eef21f66275b239a37da2bde2c834f7301784bd930f3bf9fb729130b55544532668d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fd16db329601586ce3cb512a764fc7dd

SHA1
766d7524cd66094f06a732345f7db35367f6ccf7

SHA256
3db955644e4b7f9c71bb6d33400e2039fca2083ad6641e0a1e30edb7ae7fba55

SHA512
05cfe9bfb183ca1055e497b07f0a2d56085759625d5aafa8357d5caf4e1ae20cea3370a21ac67dc8a2196b00c1fd6f5a22be5be1dff83228b04c9f01db1e5682

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
16b241d567898e17874815a8070fd7b4

SHA1
27870a39fa72dd35eb21470a228953795e047056

SHA256
8403e1bfe6ca0e020211aaefe921cad555366ac14fd51a605445a19e792e7f28

SHA512
8759add4898c691f8e09fbcfe9c0a04c843abb22f585a7b285a209092f821f499687366ad7301acf302a2cbe61a60fcf5b0db1530f0fe2c4084a5a0dde35dff8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ac48c290599864b6570e4d21e2e3ff3f

SHA1
97e3f32eab6a3df679e6e0a112dfe44de92ab43c

SHA256
65bf32dfaffec4b86e09f7a890e021b1e4de9a0ef02ac5fed24dfbc4be256275

SHA512
e8fc2ff2f5320626c48ba3c62b92dda27a895a330c56b1986cbba98e517d145ada05184a78341d319d409e3b184f827585934f1e487517e00f42387534ed2247

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
d77751437938a73120b1f59e71317199

SHA1
35879a1abcd1e452651f9d49229b8f541c3fd0ac

SHA256
90817350d69802c445cb3d46cd8f9b841a8688414e0e6a1b80f3d529f0a25cb3

SHA512
38b24db59b8ce4ae3f171a925ba6da30565238b68d2df850b1ce5dcdf67d06cd0082a86f965cb829411e541644aad7dd33257948693f10765b96d25fbe3e6d0a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
d73e23616de935437f3969f10bd44f37

SHA1
99417cfa2b183f837d5e37a913cb2d8d59e767c7

SHA256
6976494899b75f309b7772e668ee993961870ecd258844aad81e66f2956bd059

SHA512
598f639361e0af6e307bba7ed8cbc7f585fe5e7d749a3d04e9a229f55ff6a85cc75b23509562bd1ced63abe43aba26cfaa317764b17e91ff000e0121c84cc117

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
ac0dde1b42605be6bc1417b393df88da

SHA1
c76898952a17ce4389247f93768a2fcc6a3c53a4

SHA256
68631dd6d61deb9bd2cc3c71ca46753b452bd4bd0c0ec66ddec14af048a6d9eb

SHA512
e0445029b7ba5acf81f534efb5961204970795c9ce55638c5d684b9a9adc820a1a701c96594f6022b6e373b9f60107737d49f028006ec9b826fdb2df0f27c589

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4d6553861f89541c28b4c962e1f035c2

SHA1
1459b5e0439f768f28cbdb795097bcd047cf1187

SHA256
63acf1b223c208f1c5094df524562dd14730b3cca18d01ef3aaa15a0564f1326

SHA512
cdf68c8d5498f3c91e104f90180b4d8a7f08c86c689b74d4aebc911c3f26eefa38ddbe995a2326c3d8f3d47d664bb024ec22c4e9428869bdde49dc793b11868e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
7e6471c9dd2c3f8757c51294c32bd135

SHA1
eccdaa98cee408b642d60edbb373de39395b918b

SHA256
4b909e512a60bbb4f018344dbad9cf0e3d7f288e6761c64e5908908304ff0072

SHA512
7a5297d88bb8a0a9de0846136e9c2269f5116212c849b77dc539f9210b9d2197d1c8251a5956dfc06a0d88f8704f7053f7f83e96e042de9cad6fa465cdeeac41

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7378158964495366038b2eb2b3c115b2

SHA1
b688a4fa6580a9e8ef7eb3c2a7a9ceb5b032cd28

SHA256
7d29894e084c2d587f66801a6ad3361ed818f02590615f039f3c8150e5d067e5

SHA512
b54261c70fead08d04da4e983e86fdd974889424ddf3ae2c2b9443a7fe46cdb793ee654dc8acec33798f5870f66613dcb50755b7afd63269859131a9f79e9c80

Download Submit
memory/396-16-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/396-22-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/396-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/396-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/664-66-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/664-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/664-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/840-422-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/840-664-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/956-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/956-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/992-245-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/992-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/992-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/992-251-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1064-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1492-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2160-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2160-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2568-666-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2568-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3156-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3156-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3508-256-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3508-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3508-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3604-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3604-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3612-524-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3612-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3620-658-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3620-370-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3680-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3680-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3704-1-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/3704-28-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3704-6-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/3704-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3972-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3972-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4320-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4360-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-662-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4740-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4740-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4740-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4740-71-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4740-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4900-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5004-30-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5004-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5004-32-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/5004-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5024-657-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5024-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download