c026e8ba2c12b97d31946dbe49ce661003543d5347c2022d5577149fb92206c1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
Size

1.3MB
MD5

90d3b933178f3c6cf42bfe4b1ccffd6c
SHA1

1b1414ec8bde029cca5e4e0a43cdaf242167d99f
SHA256

c026e8ba2c12b97d31946dbe49ce661003543d5347c2022d5577149fb92206c1
SHA512

27db95533b4ebb46369815bc370b3e28a41e99d111ba9ae049f617b868e11617138b6a44a5c46115ec01a1f6539bb8ec76303604247ea0c08a11124ed383373d
SSDEEP

24576:32zEYytjjqNSlhvpfQiIhKPtehfQ7r9qySkbgeddF3B7zPkcowwtdwKzDXkDNJ4N:3PtjtQiIhUyQd1SkFdd19zPkAwtdwKz7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1020	alg.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
3936	elevation_service.exe
984	elevation_service.exe
2456	maintenanceservice.exe
736	OSE.EXE
3708	fxssvc.exe
5112	msdtc.exe
1880	PerceptionSimulationService.exe
4368	perfhost.exe
3000	locator.exe
4372	SensorDataService.exe
4600	snmptrap.exe
2552	spectrum.exe
3264	ssh-agent.exe
5104	TieringEngineService.exe
1228	AgentService.exe
4592	vds.exe
2912	vssvc.exe
2004	wbengine.exe
1252	WmiApSrv.exe
4704	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exe2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41780a137489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecb1ea315199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b3e97315199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000533bd5315199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000531790315199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011a199315199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092d08c325199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c2d65315199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5cde9325199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4064	DiagnosticsHub.StandardCollector.Service.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
4064	DiagnosticsHub.StandardCollector.Service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4852	2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
Token: SeDebugPrivilege	4064	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3936	elevation_service.exe
Token: SeAuditPrivilege	3708	fxssvc.exe
Token: SeRestorePrivilege	5104	TieringEngineService.exe
Token: SeManageVolumePrivilege	5104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1228	AgentService.exe
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe
Token: SeBackupPrivilege	2004	wbengine.exe
Token: SeRestorePrivilege	2004	wbengine.exe
Token: SeSecurityPrivilege	2004	wbengine.exe
Token: 33	4704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchIndexer.exe
Token: SeDebugPrivilege	3936	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4704 wrote to memory of 1992	4704	SearchIndexer.exe	SearchProtocolHost.exe
PID 4704 wrote to memory of 1992	4704	SearchIndexer.exe	SearchProtocolHost.exe
PID 4704 wrote to memory of 1452	4704	SearchIndexer.exe	SearchFilterHost.exe
PID 4704 wrote to memory of 1452	4704	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_90d3b933178f3c6cf42bfe4b1ccffd6c_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4672

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5112

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
2⤵
- Modifies data under HKEY_USERS
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
852e61425ba31f84626f0fb705b4d500

SHA1
a069a9ba1331ec5a7b76582db5dfdf2814476c69

SHA256
b9193547b4c33a89822f985e8f5ea9f4197647f434db67775af3198d51ef0634

SHA512
9deeaf764a9522012901f7b20d706f039650f19b663afd6b6ab2822b3fb2274df7946d2fd773d72502b032ba9dff59d0cf67dd63bc006fa0dcb31a898bcfb7bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
20516d1c5a3d03aa25ab663c80f0c4e3

SHA1
a0b28c218c4050dd77187394cf8f780893964fad

SHA256
94d43055187ac7657993cab009e89b96e7774c1b3f2805cc36716582ea517cd5

SHA512
9db89f7a057d121500f2a16bd710e7a183ee1c341fbdc2af9928c47c22eadb3b9e8c78eb218f2d1ae49b7ace5dddcf1cbe008cde5b39523e29abea23d99e4f65

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ed9d36d8cbf07feb94d9aff03b359b35

SHA1
8fd7560218cb31163b69d53384231b6e6467e623

SHA256
b9343e76a5f546600657c3cab96f3316a5074212b260297443d59d77f9047dd3

SHA512
2e672e27205c21fc6af99b8c301916e7f37b84829696ca8eb9643db6a5c4142e490d31b5d78e6a2e675c9832cae273854628bf01738fba0e0af3197bd5140128

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bc08290d7b3ee0f86a084205c4edfc07

SHA1
2321fa5316b6856ae5d616ecb186f6c8cabe57d8

SHA256
73870439a920edede68c7acd18ce442a8145fab729969485caa7305663b4e2ed

SHA512
8628dacd74b5535df4255aa7619d984e3a8aaddea7f15eb5f0567b7f6821b93bf46cb896bba0c70911c90fc9b6d8d7aab03da8f345967ca75e7c569ae5bd6962

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
670655aa62cb4d01d99921c05ac29506

SHA1
91c3a8383d1af3424edd641047020bee88b3c775

SHA256
84a1af0cdef8563e99fd061d9f58f72c48e81ae66a3dfd53794761ec544c397b

SHA512
2ed7abca3f4ce4f599b9a2ef6deefd2df6495410f037aff2e87b3bc57a30b3c49d35ece42ba046670f7a375114b6e10b8445889a0902f37778e3c30ba3287510

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2497192a685c0061f3ea97d5c25eb0ea

SHA1
b58f248de9e1f4d527ea36c4f2da95915e0a7dc5

SHA256
1ba291de516efb844ba30252d5b942642ee2aacaf8b89a391f62b016415912d2

SHA512
3513e3bcb9611a08e47aa12c38970957fd45594c5d3371b572845fbe583070e91d64d96e9bdc415b6c75a1a378794cce30d8ed0547971e7ed96d10b818ee73ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
dd0bd0ec3337b38850be903530bda93c

SHA1
cd6858d024f59b1d855e651d2b191326e6083f82

SHA256
6c4e3aa84ce26c1346c0a982f73acdbbba9e838c94327bd46e1c31307f656eca

SHA512
f0d2b98cbf9b9d7f8543e40e44fd2524233661751e3779c0eaa9123257fb4425f3ea1db6d9d0e17a6d82cea7816c94f270c0693efcb06165db69742f4928224c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
34c0fd00d8cc70921f0cc7614ea322e8

SHA1
6053b9e62ad2f6ea4fad38c2b7947d1622f96457

SHA256
e988d46e32e645aace7313736f2d0e71dd4668285f21b758906f006c1f1aca1a

SHA512
03a6e9b9c798d78313c2ba2b3a12e96a617f40a13383a1efdca22f86e7ea003b4786855917b9f815ba193a80d8c6ec18ad06156387a1274fea72c2d50e6054e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c2545d6002624bca64aa691f4084c074

SHA1
fcb1c9dd314af1556d7511fe35ded6cb005b721f

SHA256
d85ccd17de67a1fdad0faa75e2895cae3d03d6fdf4a6adf8f520f15bf2d62115

SHA512
89b0e5b0c474f460b95e8c3246e74d6809cca7c112db1d50b1ea7a9d4588d8fb70d70478ec95c8ec4180b770365237c7be97d3a71979135ab7e112c8e57098e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a163eee16f9edc62d04dec5ab390b0b5

SHA1
29194f021a18194ddde7cc27636b8b23b81a1b70

SHA256
6319ef277ee18c5b3d1e7146b51f301e75ed75deba42d4f2e6a9b60e17399523

SHA512
3776a8b4f9989b04c4808bd255d44af2256c9950353db150a1b395d0463f889e7688215ffe8f8ee0f6eb78bd576d7336c34c9dfe3ceb0c76fc7ddcf5fbeb4704

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
86a29c501cf60b0895d2981f81e67f16

SHA1
a7893239309c9c82af2509b57db05c619e6902cb

SHA256
a6a1ee08adc4ed7fb8471e3b438e8286e68f57615eab1459d8fa92759c910c59

SHA512
b06c5119c21954fc4c7ff466f02aae672c27c830bbff5401878eeade0f127e22858818985caab7c4045a1502f9d53ed7cbafd374b52c99e644666a76f712eade

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b0b96a28976792091564c48d6b0a6160

SHA1
3c15b478f0a4e3f21fccc984827ebac0bdd4a0de

SHA256
39877725f8890915231cd40fb589990e0e5db3c9fe479ca2a8e692a64d768751

SHA512
369c87cbe46de49df55ff46b8f0bda23bc079adfe6d67c45f6999dd73e38dcc13cd99b2348d2034233935421f3bfc219d78391829f3d237a36722b9b8b1dc2f5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
4171c7d56306a41106f1cff416aff39a

SHA1
5042e125527aacdabca7ea9b7991c477f6566639

SHA256
1a46c092caf788389e29601448cd9472e75534739db14f2c665f566b43bc97d4

SHA512
9804aa71c35b01509611db366091625d13a8b548fb09ce34bc804f9d230f8ea7d360b726b92eb78d09092210dda81581341d290c9dd9cedeff89af94b16f796f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
4bcbc603d7f562d35e13934e96f50f34

SHA1
ea956e3eeadc85924e61742783e69ead9eb4afc3

SHA256
809e045118518e8ed870fbc2144a3997ec092ce4d2bfdcb44cbaa2d9bb541da0

SHA512
686cea7fee46b609602eadb808ae10459118d51f944b7b8d6a7f9593288c69868ee84de9223276d530af5eb15eee9bae2fce395129aaaa5797eee05cdb0b7806

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
388a177f06948fdcb7d786382deb9526

SHA1
8e4b2ae511f7f29e62301fbfad28551fd68ac059

SHA256
de982519e346c5745520abc127c5300b74decbf93abac0c43fbd82dbb64de46b

SHA512
4d2ecc94895f0538aa3300b98a91e2c3de2278904f744f76898d5a7d9a224f99dc7e0f392dd38512baa6a00a4c303f8d0ecdfacd6a4ed31cf1bbdc71efabbdb5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
80e61e0a909d79b79651c44bdd21d8e2

SHA1
b8ee41339698ec563ea49ec49218b1306e39e6b3

SHA256
024c89407dcfd43a6b639fe47cc51d8b6e01188dd7a4bf95169e4cda5af06ce9

SHA512
3c8c1ff9dec1f22e948d6997c77cb282dc5e327e3fa9f261231726359e386c106c0b7b1f53dd5d98f05522727daa9a57f0867e9e45dc46e979b5875f4e9ca782

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
b6b4d50ac48079ebca2c1de35125a87c

SHA1
d84cb53fb0f29399c05cdd9165a1155197cacd26

SHA256
770b9a5f606895db6d5dcbad01cc59e92f9b854590dbac8f8e0782a90deb47d0

SHA512
69c2f73252a818ae160f1ac8235d73f5bc984288b198a4581f623f616a2128f44363126cbc448fc1cee9ca7d1c299c9545bc0e2776acedf931de53679a325880

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
9625210c6a0dc79c3a3e2a2fa3048ff6

SHA1
bcfce203ed7e13c794ce2ab7cb4b95b548068afd

SHA256
fe4048c57fd312238c47ebdd3262089417c4c49e43608b66f3f1eccd2f05c819

SHA512
2d7e0fccba84175058572adb093f2e74a637e8d8d4a2fab819c85495f450061ad93fe34734a3026dacd20467a6fab7ab326ead0e56ed3f4209b6d4711aa7c2ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
10323e96d0fcb66e2c386b13b4a68364

SHA1
efe7f1379f10975f7311a19d81d114443874eb96

SHA256
f2d6260581b1d1547ccd483c40df524debdf4a4946061542aa1e91ccf9616ece

SHA512
7e1b7680b63594b4054c66e946d8620317b8f8a529251d0b120c441d90ed910160ea51355032ba99eed3931979e4101990a6f5164483c720d238430fafaf2e27

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
80740b0521f4aa90365e7775dd11a1ca

SHA1
14b137f09d2cdcae1b1e68b0dd82d9a911670b8d

SHA256
b04bb31e4aaaba457aea10786d64e502aa75f436580df12b5c29ae5a68448794

SHA512
9e2adacb627c85c73f71620db9dfe33a2d58a1ed2a79a1846fef8642b50f343685e6f2f6cb70ab5f2c97e9d643f01d7aa85d55777b72bc18c8ddced7d4d10ee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
88c8b8ee9581b34c717822c328890f25

SHA1
fe0e44f3e87899952b1e268250752d706dccde53

SHA256
afe39edba9f99121da622402936ddb128aa4d0eaba0dfd7b811e2ffcad25c903

SHA512
bcfbb15018f2c2ffdd913bd86980ea36c04a7323d705a1655eecc070eb8bc8ee06f0d5e4a86d833b4c319fdbc9bae1fead5cb58b8bcf40b96eb2da73226f44c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b101c2e23e2a2a9c0c1a4a417c6399d4

SHA1
d05757fc8f516f6ec1fce8b41b94a9b40abb41db

SHA256
54ab404648b6da7519dfd310e94feb657c04c4d5a6b1f0bb12635e540b8dae45

SHA512
e2f8ae8b746e35854a4f12c8bc603945e7623763b5fd998d577bc83a67e61466e584e48675ae4166234787b4c82cfb70712914c43ce121154376cad4dd3ca517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a01fd56ae6768bcdc94609880cbf6e41

SHA1
32c76296a2f9bfcd796183d15d6536fdd04968ae

SHA256
0a6f719a32eaf7d06e7df2f6b659b038065edad9886bb328450c0b34728012c7

SHA512
a0e3105770c5d89d28d139b8528d669482c86401ff53e43922265ba11a051c80ddbc66eedec37e8926d3e60e62d67887dd1f5c4c2bc563053500e6da0de36264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
3846855e2f58f72dbc6626786354f6cc

SHA1
4358b89df4a81ceea977e1abd0d9253b2fb6f42f

SHA256
7b062104600fc0bbbac9b2918fd71db309a70b6174e56fcc7314034c39defe75

SHA512
65bd2366e9eee04ed12a01dc3d5ace7a10e9b372a8c77fbec129de25dd46ab6e5f6d4975248a4b967dae2e5f697a91f4353b0dd8c7aa2f850e7e98893425c6be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
9177856659c3206127d61327ab0e9d62

SHA1
d6f098eee64bd692416d06c3afb7b8bee63eae0f

SHA256
1776775b7ced46130598ba36393e4aeb01c049f7138530ec44a6249dc676493e

SHA512
38ee6395ce1ba621446497e2ceaa74c4fb0b07c1b738ee42581c6726a1f9b4eef35884fa65689f86496bfe7ed6f891e7974d62ffe6ec9c729e5915a7cf56283f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
8c4e58573b3931bb9414a81382b96c5d

SHA1
085e429d12ca5d821ddaaabefa3433c840756834

SHA256
b961c3774d08a759e617708bb70ca3bf6c0cab7d4dbb1fe76198b0fb3637ce61

SHA512
7d4555fb58d5d061276171ec341f0fb220ee71c7cf3969983633091b782fc82c64ce80f0977c8a3b6e817517b3cbd850777cb079c71a46ee5a7199985eeee796

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
d8833440294269fd66e970e346970442

SHA1
c7115ea1422a935f07bfe27d803e749c902fa1fa

SHA256
338aa2f91c120a997664013a6ab0ebf40de8724d97dcc74328b76d8ed87c6ea0

SHA512
6d864ca716fde256b06bdc3e9e2d2eccdf9eb8666148c4725b3438e97bde52c0f67440d31cbcf7465e29cd59734192c2341729e3b6298df8ef3a90fa23fecfdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
392b717969f8b98c2418d027d2bbe87f

SHA1
b57f020b69497ed8a45af340da8431cba906784e

SHA256
77722e84dcb67719ad8e8a00435d3824675d9b401573246e14246f3f32564b38

SHA512
30a6b8648cc75b19697f6e71cbf0470eee7f57ae15e15c5ddb43a35d3ec2474396423a4470da9f283bc341045155033feef5f97943621bddaa92959469f2601c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
59f1e340a7cb4042cdb1fc5a4f5659ec

SHA1
9a893104c1938150cea234c7d6bcbe49eac5f8b1

SHA256
803f12f33da090e091350f626d800e40a99c446d575d3a2e1a01f8538d21b636

SHA512
c2c0c64a4c24f0dbdebceb5cb82a25971528c4c1e00f037b7f50d42402559abe74e48d3499f6b1bce7b94bf9c7781fcd28e9768904916d433c61db71a5520791

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
fac1d62ac8451abb7703f1295471b7f4

SHA1
2ab3ee7170effe695d82861b5946f2eb9779911d

SHA256
1a50dab7a60634deb9f7d882ce3644c46862c30228bc2212f38bd0e94835784c

SHA512
12becb9c847a60cb440925d773b56190d0abd4d2e9db535e5fa493ace2b9edea7957c26b6d5f4688dfe8de731ee5c9d0b29724e1420396ba710c544f107eb22e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
8758e104cad690f8c5471dbb8eabc959

SHA1
9389b1309095cf7432639a9e150b635942f7bbb6

SHA256
23efd183d79da6bebccc634ea9afc9b7e1e94f79d9aad0e9ba1ad1e4fb97c31e

SHA512
c132a0898c89ff82358e87d8860b472bf48ebf79db5f5b90627ec223f53c5d693a344c34a1fdca7ee6661ef5e0d8d3a89464cff555501178799dc1dce91d551e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
72276d92a04b7df637822629c7381f7d

SHA1
85768239423c88f70ba1572a8ee77f38d4322d75

SHA256
d36e94365664a5a2856e5f130ab44719db724c126eb3129b93f870b7c433b377

SHA512
039d414bc34ba059bb30e370d8effcbd3dc2a125b3a2d5a39b9b10a1eb8c0849f12a543d919508e31b2934e939035bdeb19f9200a94941ec89376caf2bfe308b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
33706bf469566c96c5c8d7c8c140a4b3

SHA1
71df6343eed9155657c61a7467494903cd6263cb

SHA256
784022fee9f774ab44d10f294a4a2c9430c98acd8e9705ca0a7fe7f66da98fbc

SHA512
e295c0a5dfe86e02f6a5a41f2cb681577b0ca80d91dbc26e6bc62da57e6ae4749ace2590986f0e217976b7feebc8374ee8f8d84675f0fb5372364c744c5417fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a707c6898cadb21b7de42e247ca677cd

SHA1
1a87eabcc4eaf1da8ec0f597c0269faf5f76ce1e

SHA256
0a489042de23476decaf99f9d8b128240c87417e8b44cfe9bc297d267869d28b

SHA512
0a1f90b1b7ca94f990fba9c899c4211396ae72e869c56f54c1a65a1454b23033c45988eed666b0348309f7d50e334d96441d4717fe3cfa81dfa496f631eec841

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
1eb5a4db631a73b401a0720383336d4c

SHA1
bc6eccd4093892d760ea875dcbfbc53d2dd6f0a6

SHA256
a4cd1fc098e4401196f115458e69c2505e01b0fb92ff435d4d39edf314d41dbc

SHA512
60d174b353b5e9af2ac326d4aed50e945f89cba2154892d0d1ce0b944a805dbc51dea3fb4a602b509da0077c57af4f0e74bb0d3895e9388acf5783ab246de1a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
eaec28f17a7ce152f492dad7aedc0e09

SHA1
87d299a480bbd82b244cbbbb326cae1d293fb654

SHA256
f3c3f8c0e6db437e7e018f2625012987dec183f4c65c102a5b0395ac43783a35

SHA512
f4de9a4d2a3a002be50f379fa69f39b9e81b28226a50ad693587800b13a15880aced36e511e937ee692db73792ef24583835a67e7e4c041d3c7c8dbce0a51ad4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
cd0a3466d776a1f2c12fea158266b9b3

SHA1
e8edecf210a22bfe40420ba05d0c3353f7559e81

SHA256
32af38e97e946125244af8c9a88e5f4b1460b0f23f411c3f66d44882bfa2d693

SHA512
94910a4e99178eab78f4d72ba5e71b603ff17806e246c1d2f9e2486c9380fb38616de8ea22348701372946db11be808928162a4dc22b5b2589ed799615df2e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
7d428762f4d5b3a3399aecf1d146a935

SHA1
6f354f20b3641ab307e7ec840a1ba721854f6d4c

SHA256
a61961a4b136283b000807a9f5c77d7af43a03ea9eb8c34b99847fe2d22d862c

SHA512
3831146df9f588c7368430fd9fcd8bc0f5bda12ad519fd3f97441d75024cacdda4739a91c76dc306cd6163d16d65c925a9b90c08c7709f157ea3fb8d695b71a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
deaf46bcd11534564dc49298e41179d7

SHA1
0a2a80a4d60e9dcd6de75ae59cca3d300f28e836

SHA256
79e1d800db09904a86f7d17af8db0229007e7069c177e20daa60d359c3ee3682

SHA512
2244f69e617630c415a23d09230ff8b5f536e140eede88a38d1330701b1217cf84c67577fa6ab6d6823092076228396879c5a231b883f2897f4d45606438666d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
c98cfe615f601c7f16e6dd3a49e3b2f5

SHA1
6b69291c9a205fda2fbccb29ae53982b1f06d162

SHA256
c12df2fb48b0d7bf627bc833cde03a749980cc30b1d0e1e512d89ddb7c475014

SHA512
cdefac35dede6551035906ccd7130b61d66d298c4b3805cc1f3249f692134594320bf217e5174879d2b160ff94a04de7bcfedf1eb8efb8f96b381661e245b383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
24be1036bfda9374e839b8426aab261d

SHA1
f79b3155bbcbae3705be33a1e5c2586f19163f26

SHA256
24f05c970688dc502d40062b2a22c65f4e574a3a2f360943c2a5b62362fa147a

SHA512
6d9c219f92f8034793e5f04e46684f8278a8a6150f048bb9fd30b192130331ef797200b79381b0b37727ef756f84542c6fc6962a919429fddfb931882859d4dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
4cec8abb990d00b150d30a6f9bad075a

SHA1
9a442a43fa312219984a24cdaa2fadcaecbadd33

SHA256
896f99ee9770baef43caf4ca3d2cd8672ddf08e422dc9c2265888d4f8b40e714

SHA512
60dcd4390d7b3ffe3396682e520ff7d82663269a8cf6438d31a7fb8e4dbe6450a829b18555662cdc7eefa55ab0332db5f52d02668e1b45536464312233cb5543

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
70db64bfe93d0789ce068900c8a1b5a9

SHA1
241fead2a9d5e36d87e23044ddf3f07b1f588f84

SHA256
8ebf51b87f97998b80f41a4296bde023403ee764ffa1f303edf9f5e9270be809

SHA512
f1c90f1c45636f2c8be1e08d3abab338ff22d04481187696b20d4c2af11ab1c0da5c571ddf7b21ed8e8fcba8ddd6e49ee8e7c6addec5d7a97c87c3cddf47d5fa

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
1eb47cdd9730dff47b5ba608cced850a

SHA1
ca95b29c4b7e580aee088385025611ccf43a6cf0

SHA256
2bcdbf8c8cd75f2a2bcdb6350ed960943d3636701041e5a1266dee5c00a1def8

SHA512
f239a3bc6e38f64cd3de5eac178f40649036391f31723d58e2cd6502ea3455e5fceb93ebf0c257d21a4ba36f81100909831c63e5b1349d782cbd4d93a96848cc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
abcdaa36b36bf49fec13166ac133ff42

SHA1
b1f447c383b56b0adb879ae87c2ea49351f5617c

SHA256
268a53d3a259ab7acdef927cd8c41aaadfc7cdec1903a27680e2ef978e7b9561

SHA512
642b6de0deeb80da1b79339676cd9acee52eb9b7bffc51c529239bc9b2b5964695362c8042ed31406d093ed720a96fd1aa3fd0adcad0d5d48e5cc9543247d649

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
be6f75d6702b802db48e9bafb70bb901

SHA1
d00c91a68d5a9f6a440a11dec28a2f075a8f0f2c

SHA256
85c1c6498cce43471ead4e3299ba5882c9d550d4a0f67d0be73bc2bb41fb8fb9

SHA512
1037115e169adcd522a319570b6ee3cfdac56db5224bedeaa2216771cef026f18185be955838afd08dceb1559599916e8c51d0f5bdbd4dfd897e74e83402923c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e768bb7954677b8a0f20d77a93d2e135

SHA1
22878562f8bbe9d0a1dd802e6ba9f4e7764923f9

SHA256
1a29109ee750b38a2f926de0c13e263c49ad536b49fe5bc79aa36247a89ff5ce

SHA512
f14cbbf5fcfe992d9bc978243389e5274b40f5066e2a3f4a530993a679c4b97f8d9def8f833e25e2134b78d870dd12f5a329b8e9c3d64f947a37576baa8184b4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
dce76f1fe16f360f92e96e0db1d1b8fa

SHA1
faad0f2f50af0f0c7a344fa8a33b9a25dd5eb53b

SHA256
86600fca5939d4373df4515ece43c388a565796fc3d7bab8eb727e46c6173ef9

SHA512
5acfb7692b93ea032482d4cc660039f23a57676e92c9937b07a86cb67e710806666e27510654a3f41b39a2020c752d83ec41a1c3fb0bc954170af792867b9696

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2b0023cfe11332c1b5b0233c2a664db6

SHA1
97779cbcc238c5cde81f9c74520fd57d63b65e38

SHA256
0188dd8231f08ad0bd16cf06e5be5dc5c7b13f0be1365687c64148f0568cc7a0

SHA512
d0bc439f39fded8a272c15d999e3ff93cf73735d0fd4e5153c5702f052bc23a82c2dd461e11ea8f69dd57967fd7a5bdfc1f79af2cd73a30d0d5da2ecfdaff0c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
f594267efe259273331158400cdacd6d

SHA1
c95c4a9e7816064013057cd4fbca7a255d79dbe4

SHA256
216759b9f805cc5b06ff4019093f01bbcb0495895c32f0a99a10e8d14673a5fb

SHA512
9a47c59082b7388c175930ec2b7646e247104aceb8e7910296513927f86b907717a6609d1e64f1bfbfd92f634e1b464bac09d7ddcc17e6f20c34b2055f92ecee

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d6a8716a77b948794f2d0fc6827670be

SHA1
fd154b22225d559634aa783fa54b3746c6d44c9d

SHA256
78fbe00805844c62c8a0ed4e504010d8163e325c84877012ce69a68422d84223

SHA512
b66ad32e3f4203450931e54d067ead1590cf28ac565545f5d6f94d74e79d31f1bb2b83b268bab051c10d10b90b93a5d3ed32ae9074504467c04ff92b92ba9635

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b9f2001c9deae9f701c856e797c039a5

SHA1
c2845b0a33fc7f593b40c9982a656c2575d9ad6f

SHA256
5e18b34ca741b9909789b9d18fd959ccc382ec24a00b5c51a96b4c27854808e8

SHA512
f1186f851b2d3b653a5433a22372dd68ffa5befa99b4854cf1fc65237f89a648422f1f173cae9bd2b0a17508e6d176cc106e419ef1d65cc195b7e77944a2bc57

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5dd12203307dbfbd19a6b61277d6016a

SHA1
bcb5659f4e253453dc21b5fe02e1d5352cd0cccb

SHA256
2e12cc54b7d28a26ca5cfd5a5772aba73b8a4003503d0d17a84efdf84421f064

SHA512
d2ce127f4be4198a96a715dd237cc6f247c0ac9d6e1903b763afccf62473e4a8eb47674bba1fd4b3273223d1fd7619bc38bc0140a27789b07fa690eed4815067

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
0fec09c5e515b9babcbfe082b5f811ad

SHA1
64fb23b3b5698a0a2a86ba51cece0704ef292c35

SHA256
e4f077cf1a9470ffd2c3cf46d90f1a725ae7d09683506276a399757e8dcafe15

SHA512
dfc6e5615005cfa88b0c5937699afb7219b0b49614d14f3d073efb70cb06f2a803249374be1e4d95f355af222bd683de574e15e1bd34489d23f30cc940dc09a3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
371115ae1c7e0be8c8f2880d35160c8e

SHA1
5a4a001a1f5b40515a30bb82b383aa02cdedef66

SHA256
1bcf8485c4be553087332264c501939083578f244fa1da85fe19026c1ebd805a

SHA512
d9c9d6711ddd07a0bb3fc638da18457c54c32ab8e624593a11726ddf5de3ea6ae6ffd584912982a3cd0480a59e077ef0bcf3915fd5917611eb3d5ecbda35d11e

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
8072264b50a01081c97753e5d926cf0a

SHA1
c54c0cdb96bff87b460a54174bf47415ad258cbd

SHA256
b9f3999f6929554a42eadffcdac940f19da7e3899b33391d042a6200a3371328

SHA512
e22863f3d036fc461aa29b4cd9163cde25a5d736d413f7a4825ee1df0dfa3a6f08b78d5f458a4822a0454b671af26e0b839dfe130895c01a494d72b152b35881

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
96acc8fcbf99fc397c2491db9051c23d

SHA1
90ff3a5204fb2fb0e771e3678e077548b0d10bcf

SHA256
743d9e3fa0dda165a1b803ae2e97cdb1336d40141bf509bb0498158bc4b53f26

SHA512
8805e79da6a57ee09c0637ff14f0b6df7d14f902fc905384871bf2119b567405084a7fb52ab16ed6cc623bc01c08bab3eb30e171a17eac4b73c07ce4bda2cdf0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
115c7f5318b7d1cbcb9e48ce66a67fdb

SHA1
225c771ee22360321125624ce278d72c80c42a7c

SHA256
5a2136a005d3b21715830cf0c9b99ac3675eead9e394218fb1002aea04cd3914

SHA512
34ef06e3942dde5c4da819b385078511fe99dd1b143b217b146978877443965856d556d38a5831005f4377092e33ba6095139c426f6b06b3e8a7c9ed53c78a84

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2c4f18d1b592455a6b9198a9d4fdc3b9

SHA1
d9cc77240671d08e7863cd6edb5f9b1b2864ea52

SHA256
544de6a14f145d15e9238be20cbc65d9d49b16ef3a45d7cf5efbe8b58f189f8e

SHA512
a0c4738b3438984b3e62ce07d28973959fe87e53d388895bc1a2d69a204ba5b9755529dd69a73b216346a4e957f346ef5d429f60626f2df24148964799e51932

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
0d960a129b90907fade91bc386ecbbff

SHA1
15bc019d95646c3c0a0750ff98bd3f7eff9a7e2e

SHA256
15dccc4c24e3b17043c1207ab0dba70745e55feae5bc10e936139bbd47d3fd38

SHA512
20b19c1ef07c180de6702f788341516f60bc0d0cff8b9cac9e8985e36ec23349dd49812c95dc468708fc8fcf46a7abdae7b33d32f2ceceb5d5a7833e85dca56c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4352b593428d88726e3ae1728ecb14a7

SHA1
ae35893402759cce0c4d68290611ec3b4e5e410e

SHA256
fc939c1bc933462738a32960c9d4930f29a951509a4f953c7468c4aa9c7ee01d

SHA512
942f75d03f9480247d6a1623b5e29554f30cb9ad89aa9a638ea2f7b64b4c3d79d8a8e6758829216239ca6a4e967ca742700df79c01fff1ae3f1163b51b8e2bcf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2b59edb95cc92aaf25633a731b5c2dc6

SHA1
d18f2580e189895304147ed7a40d9c83bb2c9665

SHA256
c2e62a8b7789c08315e7894b2c5ba7a8600b7fdce68f5d14277fd390c145bf66

SHA512
29a4122f045e2827b7b2ca9687661f46bc15db58179e47d868f3e7f678d2eb9031c0e66e055b28f5e05eeca5f18a887496cc83c321ef895386e97ba5dd831dff

Download Submit
memory/736-246-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/736-75-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/736-81-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/736-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/984-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/984-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/984-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/984-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1020-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1020-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1228-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1228-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1252-337-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1252-561-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1880-328-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1880-260-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1880-261-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1880-269-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2004-560-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2004-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2456-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2456-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2456-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2456-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2456-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2552-294-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2552-547-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2912-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2912-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3000-284-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3000-336-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3264-306-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3264-549-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3708-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3708-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3936-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3936-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3936-37-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3936-45-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4064-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4064-29-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4064-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4368-275-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4368-274-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4368-332-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4372-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4592-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4592-558-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4600-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4600-418-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4704-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4704-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-1-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/4852-8-0x0000000000910000-0x0000000000977000-memory.dmp

Filesize
412KB

Download
memory/4852-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4852-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5104-555-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5104-317-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5112-256-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5112-324-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download